walkero
/
cppcheck
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix #11145 FP negativeMemoryAllocationSize with possible value (#4387)

This commit is contained in:
chrchr-github 2022-08-20 07:56:31 +02:00 committed by GitHub
parent f138df2909
commit 2ab8de2650
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/checkbufferoverrun.cpp
View File

@ -1141,7 +1141,7 @@ void CheckBufferOverrun::negativeArraySize()
continue; continue;
const ValueFlow::Value* sz = valOperand->getValueLE(-1, mSettings); const ValueFlow::Value* sz = valOperand->getValueLE(-1, mSettings);
if (sz) if (sz)
negativeMemoryAllocationSizeError(tok); negativeMemoryAllocationSizeError(tok, sz);
} }
} }
} }
@ -1155,8 +1155,11 @@ void CheckBufferOverrun::negativeArraySizeError(const Token* tok)
"Declaration of array '" + arrayName + "' with negative size is undefined behaviour", CWE758, Certainty::safe); "Declaration of array '" + arrayName + "' with negative size is undefined behaviour", CWE758, Certainty::safe);
} }
void CheckBufferOverrun::negativeMemoryAllocationSizeError(const Token* tok) void CheckBufferOverrun::negativeMemoryAllocationSizeError(const Token* tok, const ValueFlow::Value* value)
{ {
reportError(tok, Severity::error, "negativeMemoryAllocationSize", const std::string msg = "Memory allocation size is negative.";
"Memory allocation size is negative.", CWE131, Certainty::safe); const ErrorPath errorPath = getErrorPath(tok, value, msg);
const bool inconclusive = value != nullptr && !value->isKnown();
reportError(errorPath, inconclusive ? Severity::warning : Severity::error, "negativeMemoryAllocationSize",
msg, CWE131, inconclusive ? Certainty::inconclusive : Certainty::safe);
} }

5
lib/checkbufferoverrun.h
View File

@ -87,9 +87,8 @@ public:
c.bufferOverflowError(nullptr, nullptr, Certainty::normal); c.bufferOverflowError(nullptr, nullptr, Certainty::normal);
c.objectIndexError(nullptr, nullptr, true); c.objectIndexError(nullptr, nullptr, true);
c.argumentSizeError(nullptr, "function", 1, "buffer", nullptr, nullptr); c.argumentSizeError(nullptr, "function", 1, "buffer", nullptr, nullptr);
c.negativeMemoryAllocationSizeError(nullptr); c.negativeMemoryAllocationSizeError(nullptr, nullptr);
c.negativeArraySizeError(nullptr); c.negativeArraySizeError(nullptr);
c.negativeMemoryAllocationSizeError(nullptr);
} }
/** @brief Parse current TU and extract file info */ /** @brief Parse current TU and extract file info */
@ -125,7 +124,7 @@ private:
void negativeArraySize(); void negativeArraySize();
void negativeArraySizeError(const Token* tok); void negativeArraySizeError(const Token* tok);
void negativeMemoryAllocationSizeError(const Token* tok); // provide a negative value to memory allocation function void negativeMemoryAllocationSizeError(const Token* tok, const ValueFlow::Value* value); // provide a negative value to memory allocation function
void objectIndex(); void objectIndex();
void objectIndexError(const Token *tok, const ValueFlow::Value *v, bool known); void objectIndexError(const Token *tok, const ValueFlow::Value *v, bool known);

9
test/testbufferoverrun.cpp
View File

@ -4911,6 +4911,15 @@ private:
" a = (int *)alloca( -10 );\n" " a = (int *)alloca( -10 );\n"
"}"); "}");
TODO_ASSERT_EQUALS("[test.cpp:4]: (error) Memory allocation size is negative.\n", "", errout.str()); TODO_ASSERT_EQUALS("[test.cpp:4]: (error) Memory allocation size is negative.\n", "", errout.str());
check("int* f(int n) {\n" // #11145
" int d = -1;\n"
" for (int i = 0; i < n; ++i)\n"
" d = std::max(i, d);\n"
" int* p = new int[d];\n"
" return p;\n"
"}\n");
ASSERT_EQUALS("[test.cpp:2] -> [test.cpp:3] -> [test.cpp:5]: (warning, inconclusive) Memory allocation size is negative.\n", errout.str());
} }
void negativeArraySize() { void negativeArraySize() {