Merge pull request #324 from simartin/char_array_overrun_test
Added a test for out-of-bounds character array access.
This commit is contained in:
commit
119a84011c
|
@ -1439,13 +1439,12 @@ void CheckBufferOverrun::checkGlobalAndLocalVariable()
|
|||
// check string literals
|
||||
for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) {
|
||||
if (Token::Match(tok, "%str% [ %num% ]")) {
|
||||
std::string str = tok->strValue();
|
||||
std::size_t index = (std::size_t)std::atoi(tok->strAt(2).c_str());
|
||||
if (index > str.length()) {
|
||||
const std::size_t strLen = tok->str().size() - 2; // Don't count enclosing quotes
|
||||
const std::size_t index = (std::size_t)std::atoi(tok->strAt(2).c_str());
|
||||
if (index > strLen)
|
||||
bufferOverrunError(tok, tok->str());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// check all known fixed size arrays first by just looking them up
|
||||
const SymbolDatabase* symbolDatabase = _tokenizer->getSymbolDatabase();
|
||||
|
|
|
@ -169,6 +169,7 @@ private:
|
|||
TEST_CASE(buffer_overrun_25); // #4096
|
||||
TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault)
|
||||
TEST_CASE(buffer_overrun_27); // #4444 (segmentation fault)
|
||||
TEST_CASE(buffer_overrun_28); // Out of bound char array access
|
||||
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
|
||||
TEST_CASE(buffer_overrun_function_array_argument);
|
||||
TEST_CASE(possible_buffer_overrun_1); // #3035
|
||||
|
@ -2719,6 +2720,11 @@ private:
|
|||
ASSERT_EQUALS("", errout.str());
|
||||
}
|
||||
|
||||
void buffer_overrun_28() {
|
||||
check("char c = \"abc\"[4];");
|
||||
ASSERT_EQUALS("[test.cpp:1]: (error) Buffer is accessed out of bounds: \"abc\"\n", errout.str());
|
||||
}
|
||||
|
||||
void buffer_overrun_bailoutIfSwitch() {
|
||||
// No false positive
|
||||
check("void f1(char *s) {\n"
|
||||
|
|
Loading…
Reference in New Issue