Fix #11145 FP negativeMemoryAllocationSize with possible value (#4387)

This commit is contained in:
chrchr-github 2022-08-20 07:56:31 +02:00 committed by GitHub
parent f138df2909
commit 2ab8de2650
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 7 deletions

View File

@ -1141,7 +1141,7 @@ void CheckBufferOverrun::negativeArraySize()
continue;
const ValueFlow::Value* sz = valOperand->getValueLE(-1, mSettings);
if (sz)
negativeMemoryAllocationSizeError(tok);
negativeMemoryAllocationSizeError(tok, sz);
}
}
}
@ -1155,8 +1155,11 @@ void CheckBufferOverrun::negativeArraySizeError(const Token* tok)
"Declaration of array '" + arrayName + "' with negative size is undefined behaviour", CWE758, Certainty::safe);
}
void CheckBufferOverrun::negativeMemoryAllocationSizeError(const Token* tok)
void CheckBufferOverrun::negativeMemoryAllocationSizeError(const Token* tok, const ValueFlow::Value* value)
{
reportError(tok, Severity::error, "negativeMemoryAllocationSize",
"Memory allocation size is negative.", CWE131, Certainty::safe);
const std::string msg = "Memory allocation size is negative.";
const ErrorPath errorPath = getErrorPath(tok, value, msg);
const bool inconclusive = value != nullptr && !value->isKnown();
reportError(errorPath, inconclusive ? Severity::warning : Severity::error, "negativeMemoryAllocationSize",
msg, CWE131, inconclusive ? Certainty::inconclusive : Certainty::safe);
}

View File

@ -87,9 +87,8 @@ public:
c.bufferOverflowError(nullptr, nullptr, Certainty::normal);
c.objectIndexError(nullptr, nullptr, true);
c.argumentSizeError(nullptr, "function", 1, "buffer", nullptr, nullptr);
c.negativeMemoryAllocationSizeError(nullptr);
c.negativeMemoryAllocationSizeError(nullptr, nullptr);
c.negativeArraySizeError(nullptr);
c.negativeMemoryAllocationSizeError(nullptr);
}
/** @brief Parse current TU and extract file info */
@ -125,7 +124,7 @@ private:
void negativeArraySize();
void negativeArraySizeError(const Token* tok);
void negativeMemoryAllocationSizeError(const Token* tok); // provide a negative value to memory allocation function
void negativeMemoryAllocationSizeError(const Token* tok, const ValueFlow::Value* value); // provide a negative value to memory allocation function
void objectIndex();
void objectIndexError(const Token *tok, const ValueFlow::Value *v, bool known);

View File

@ -4911,6 +4911,15 @@ private:
" a = (int *)alloca( -10 );\n"
"}");
TODO_ASSERT_EQUALS("[test.cpp:4]: (error) Memory allocation size is negative.\n", "", errout.str());
check("int* f(int n) {\n" // #11145
" int d = -1;\n"
" for (int i = 0; i < n; ++i)\n"
" d = std::max(i, d);\n"
" int* p = new int[d];\n"
" return p;\n"
"}\n");
ASSERT_EQUALS("[test.cpp:2] -> [test.cpp:3] -> [test.cpp:5]: (warning, inconclusive) Memory allocation size is negative.\n", errout.str());
}
void negativeArraySize() {