Fixed ticket #570 (Buffer overrun not detected when sprintf() format string greater then buffer size)

http://sourceforge.net/apps/trac/cppcheck/ticket/570
2009-08-08 21:52:35 +07:00 · 2009-08-08 21:52:35 +07:00 · 0f96299d87
parent 92d4c086ce
commit 0f96299d87
2 changed files with 44 additions and 2 deletions
--- a/src/checkbufferoverrun.cpp
+++ b/src/checkbufferoverrun.cpp
@ -382,11 +382,36 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
        // sprintf..
-        if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% ,", varid))
+        if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% [,)]", varid))
        {
-            int len = 0;
+            int len = -2;
            const Token *end = tok->next()->link();
            // check format string
            const char *fmt = tok->strAt(4);
            while (*fmt)
            {
                if (*fmt == '\\')
                {
                    ++fmt;
                }
                else if (*fmt == '%')
                {
                    // FIXME: better handling for format specifiers
                    fmt += 2;
                    continue;
                }
                ++fmt;
                ++len;
            }
            if (len >= (int)size)
            {
                bufferOverrun(tok);
            }
            // check arguments
            len = 0;
            for (const Token *tok2 = tok->tokAt(6); tok2 && tok2 != end; tok2 = tok2->next())
            {
                if (tok2->str()[0] == '\"')
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -95,6 +95,7 @@ private:
        TEST_CASE(sprintf1);
        TEST_CASE(sprintf2);
        TEST_CASE(sprintf3);
        TEST_CASE(snprintf1);
        TEST_CASE(snprintf2);
@ -573,7 +574,23 @@ private:
              "    sprintf(str, \"%d: %s\", getnumber(), \"abcde\");\n"
              "}\n");
        ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
    }
    void sprintf3()
    {
        check("void f()\n"
              "{\n"
              "    char str[3];\n"
              "    sprintf(str, \"test\");\n"
              "}\n");
        ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
        check("void f()\n"
              "{\n"
              "    char str[5];\n"
              "    sprintf(str, \"test%s\", "");\n"
              "}\n");
        ASSERT_EQUALS("", errout.str());
    }
    void snprintf1()