Fixed #3283 (False negative: array index out of bounds not found for constant string and known array index value)

2011-11-30 19:17:09 -08:00 · 2011-11-30 19:17:09 -08:00 · 344d7e2f34
parent 0bf17213ec
commit 344d7e2f34
2 changed files with 44 additions and 0 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -1246,6 +1246,17 @@ void CheckBufferOverrun::checkReadlinkBufferUsage(const Token* tok, const Token

 void CheckBufferOverrun::checkGlobalAndLocalVariable()
 {
+    // check string literals
+    for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) {
+        if (Token::Match(tok, "%str% [ %num% ]")) {
+            std::string str = tok->strValue();
+            std::size_t index = atoi(tok->tokAt(2)->str().c_str());
+            if (index > str.length()) {
+                bufferOverrunError(tok, tok->str());
+            }
+        }
+    }
+
    // check all known fixed size arrays first by just looking them up
    for (unsigned int i = 1; i <= _tokenizer->varIdCount(); i++) {
        const Variable *var = _tokenizer->getSymbolDatabase()->getVariableFromVarId(i);
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -128,6 +128,7 @@ private:
        TEST_CASE(array_index_vla_for);    // #3221: access VLA inside for
        TEST_CASE(array_index_extern);      // FP when using 'extern'. #1684
        TEST_CASE(array_index_cast);       // FP after cast. #2841
+        TEST_CASE(array_index_string_literal);

        TEST_CASE(buffer_overrun_1);
        TEST_CASE(buffer_overrun_2);
@ -1657,6 +1658,38 @@ private:
        ASSERT_EQUALS("[test.cpp:6] -> [test.cpp:2]: (error) Array 'x[2]' index 4 out of bounds\n", errout.str());
    }

+    void array_index_string_literal() {
+        check("void f()\n"
+              "{\n"
+              "    const char *str = \"abc\";\n"
+              "    int i = 10;\n"
+              "    bar(str[i]);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:5]: (error) Buffer access out-of-bounds: \"abc\"\n", errout.str());
+
+        check("void f()\n"
+              "{\n"
+              "    const char *str = \"abc\";\n"
+              "    bar(str[4]);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds: \"abc\"\n", errout.str());
+
+        check("void f()\n"
+              "{\n"
+              "    const char *str = \"abc\";\n"
+              "    bar(str[3]);\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
+        check("void f()\n"
+              "{\n"
+              "    const char *str = \"a\tc\";\n"
+              "    bar(str[4]);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds: \"a\tc\"\n", errout.str());
+
+    }
+
    void buffer_overrun_1() {
        check("void f()\n"
              "{\n"