Fixed #4398 (False negative: out of bounds (for loop))

2012-12-22 08:00:05 +01:00 · 2012-12-22 08:00:05 +01:00 · 365a260ddc
parent 80848c6e0e
commit 365a260ddc
2 changed files with 15 additions and 1 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -784,7 +784,7 @@ void CheckBufferOverrun::checkScopeForBody(const Token *tok, const ArrayInfo &ar
    if (!for3(tok2->next(), counter_varid, min_counter_value, max_counter_value, maxMinFlipped))
        return;

-    if (Token::Match(tok2->next(), "%var% =") && MathLib::toLongNumber(max_counter_value) <= size)
+    if (Token::Match(tok2->next(), "%var% =") && MathLib::toLongNumber(max_counter_value) < size)
        condition_out_of_bounds = false;

    // Goto the end parenthesis of the for-statement: "for (x; y; z)" ..
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -862,6 +862,20 @@ private:
              "        a[i+6] = i;\n"
              "}\n");
        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'a[12]' accessed at index 12, which is out of bounds.\n", errout.str());
+
+        check("void f() {\n"  // #4398
+              "    int a[2];\n"
+              "    for (int i = 0; i < 4; i+=2)\n"
+              "        a[i] = 0;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: a\n", errout.str());
+
+        check("void f() {\n"  // #4398
+              "    int a[2];\n"
+              "    for (int i = 0; i < 4; i+=2)\n"
+              "        do_stuff(&a[i]);\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
    }

    void array_index_18() {