Fixed ticket #570 (Buffer overrun not detected when sprintf() format string greater then buffer size)

http://sourceforge.net/apps/trac/cppcheck/ticket/570
2009-08-08 21:52:35 +07:00 · 2009-08-08 21:52:35 +07:00 · 0f96299d87
parent 92d4c086ce
commit 0f96299d87
2 changed files with 44 additions and 2 deletions
--- a/src/checkbufferoverrun.cpp
+++ b/src/checkbufferoverrun.cpp
@ -382,11 +382,36 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con


        // sprintf..
-        if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% ,", varid))
+        if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% [,)]", varid))
        {
-            int len = 0;
+            int len = -2;
            const Token *end = tok->next()->link();

+            // check format string
+            const char *fmt = tok->strAt(4);
+            while (*fmt)
+            {
+                if (*fmt == '\\')
+                {
+                    ++fmt;
+                }
+                else if (*fmt == '%')
+                {
+                    // FIXME: better handling for format specifiers
+                    fmt += 2;
+                    continue;
+                }
+                ++fmt;
+                ++len;
+            }
+
+            if (len >= (int)size)
+            {
+                bufferOverrun(tok);
+            }
+
+            // check arguments
+            len = 0;
            for (const Token *tok2 = tok->tokAt(6); tok2 && tok2 != end; tok2 = tok2->next())
            {
                if (tok2->str()[0] == '\"')
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -95,6 +95,7 @@ private:

        TEST_CASE(sprintf1);
        TEST_CASE(sprintf2);
+        TEST_CASE(sprintf3);

        TEST_CASE(snprintf1);
        TEST_CASE(snprintf2);
@ -573,7 +574,23 @@ private:
              "    sprintf(str, \"%d: %s\", getnumber(), \"abcde\");\n"
              "}\n");
        ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
+    }

+    void sprintf3()
+    {
+        check("void f()\n"
+              "{\n"
+              "    char str[3];\n"
+              "    sprintf(str, \"test\");\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
+
+        check("void f()\n"
+              "{\n"
+              "    char str[5];\n"
+              "    sprintf(str, \"test%s\", "");\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
    }

    void snprintf1()