Fix #11145 FP negativeMemoryAllocationSize with possible value (#4387)

2022-08-20 07:56:31 +02:00 · 2022-08-20 07:56:31 +02:00 · 2ab8de2650
parent f138df2909
commit 2ab8de2650
3 changed files with 18 additions and 7 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -1141,7 +1141,7 @@ void CheckBufferOverrun::negativeArraySize()
                continue;
            const ValueFlow::Value* sz = valOperand->getValueLE(-1, mSettings);
            if (sz)
-                negativeMemoryAllocationSizeError(tok);
+                negativeMemoryAllocationSizeError(tok, sz);
        }
    }
 }
@ -1155,8 +1155,11 @@ void CheckBufferOverrun::negativeArraySizeError(const Token* tok)
                "Declaration of array '" + arrayName + "' with negative size is undefined behaviour", CWE758, Certainty::safe);
 }

-void CheckBufferOverrun::negativeMemoryAllocationSizeError(const Token* tok)
+void CheckBufferOverrun::negativeMemoryAllocationSizeError(const Token* tok, const ValueFlow::Value* value)
 {
-    reportError(tok, Severity::error, "negativeMemoryAllocationSize",
-                "Memory allocation size is negative.", CWE131, Certainty::safe);
+    const std::string msg = "Memory allocation size is negative.";
+    const ErrorPath errorPath = getErrorPath(tok, value, msg);
+    const bool inconclusive = value != nullptr && !value->isKnown();
+    reportError(errorPath, inconclusive ? Severity::warning : Severity::error, "negativeMemoryAllocationSize",
+                msg, CWE131, inconclusive ? Certainty::inconclusive : Certainty::safe);
 }
--- a/lib/checkbufferoverrun.h
+++ b/lib/checkbufferoverrun.h
@ -87,9 +87,8 @@ public:
        c.bufferOverflowError(nullptr, nullptr, Certainty::normal);
        c.objectIndexError(nullptr, nullptr, true);
        c.argumentSizeError(nullptr, "function", 1, "buffer", nullptr, nullptr);
-        c.negativeMemoryAllocationSizeError(nullptr);
+        c.negativeMemoryAllocationSizeError(nullptr, nullptr);
        c.negativeArraySizeError(nullptr);
-        c.negativeMemoryAllocationSizeError(nullptr);
    }

    /** @brief Parse current TU and extract file info */
@ -125,7 +124,7 @@ private:

    void negativeArraySize();
    void negativeArraySizeError(const Token* tok);
-    void negativeMemoryAllocationSizeError(const Token* tok); // provide a negative value to memory allocation function
+    void negativeMemoryAllocationSizeError(const Token* tok, const ValueFlow::Value* value); // provide a negative value to memory allocation function

    void objectIndex();
    void objectIndexError(const Token *tok, const ValueFlow::Value *v, bool known);
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -4911,6 +4911,15 @@ private:
              "   a = (int *)alloca( -10 );\n"
              "}");
        TODO_ASSERT_EQUALS("[test.cpp:4]: (error) Memory allocation size is negative.\n", "", errout.str());
+
+        check("int* f(int n) {\n" // #11145
+              "    int d = -1;\n"
+              "    for (int i = 0; i < n; ++i)\n"
+              "        d = std::max(i, d);\n"
+              "    int* p = new int[d];\n"
+              "    return p;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:2] -> [test.cpp:3] -> [test.cpp:5]: (warning, inconclusive) Memory allocation size is negative.\n", errout.str());
    }

    void negativeArraySize() {