Merge pull request #324 from simartin/char_array_overrun_test

Added a test for out-of-bounds character array access.
This commit is contained in:
PKEuS 2014-05-27 21:45:17 +02:00
commit 119a84011c
2 changed files with 9 additions and 4 deletions

View File

@ -1439,13 +1439,12 @@ void CheckBufferOverrun::checkGlobalAndLocalVariable()
// check string literals
for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) {
if (Token::Match(tok, "%str% [ %num% ]")) {
std::string str = tok->strValue();
std::size_t index = (std::size_t)std::atoi(tok->strAt(2).c_str());
if (index > str.length()) {
const std::size_t strLen = tok->str().size() - 2; // Don't count enclosing quotes
const std::size_t index = (std::size_t)std::atoi(tok->strAt(2).c_str());
if (index > strLen)
bufferOverrunError(tok, tok->str());
}
}
}
// check all known fixed size arrays first by just looking them up
const SymbolDatabase* symbolDatabase = _tokenizer->getSymbolDatabase();

View File

@ -169,6 +169,7 @@ private:
TEST_CASE(buffer_overrun_25); // #4096
TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault)
TEST_CASE(buffer_overrun_27); // #4444 (segmentation fault)
TEST_CASE(buffer_overrun_28); // Out of bound char array access
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
TEST_CASE(buffer_overrun_function_array_argument);
TEST_CASE(possible_buffer_overrun_1); // #3035
@ -2719,6 +2720,11 @@ private:
ASSERT_EQUALS("", errout.str());
}
void buffer_overrun_28() {
check("char c = \"abc\"[4];");
ASSERT_EQUALS("[test.cpp:1]: (error) Buffer is accessed out of bounds: \"abc\"\n", errout.str());
}
void buffer_overrun_bailoutIfSwitch() {
// No false positive
check("void f1(char *s) {\n"