Improved the buffer overrun checks. Results that are not 100% certain must be enabled through the "-w".

2007-07-19 06:21:01 +00:00 · 2007-07-19 06:21:01 +00:00 · 3ee0d3c9d3
parent ade2265ed2
commit 3ee0d3c9d3
4 changed files with 33 additions and 4 deletions
--- a/CheckBufferOverrun.cpp
+++ b/CheckBufferOverrun.cpp
@ -48,6 +48,8 @@ TOKEN *findfunction(TOKEN *tok)
 // Writing dynamic data in buffer without bounds checking
 //---------------------------------------------------------------------------

+extern bool ShowWarnings;
+
 static void _DynamicDataCheck(TOKEN *ftok, TOKEN *tok)
 {
    const char *var2 = tok->str;
@ -67,12 +69,33 @@ static void _DynamicDataCheck(TOKEN *ftok, TOKEN *tok)
                break;
            }
        }
+        if (match(tok2,"char var [ ]"))
+        {
+            decl |= (strcmp(getstr(tok2,1),var2)==0);
+            tok2 = gettok(tok2,3);
+        }
+
+        // If ShowWarnings, only strlen(var2) counts
+        if ( ShowWarnings )
+        {
+            if (match(tok2,"strlen ( var )") &&
+                strcmp(getstr(tok2,2),var2)==0)
+            {
+                Var2Count++;
+                break;
+            }
+        }
+
+        // If not ShowWarnings, all usage of "var2" counts
+        else
+        {
            if (strcmp(tok2->str,var2)==0)
            {
                Var2Count++;
                break;
            }
        }
+    }

    // The size of Var2 isn't checked, is it?
    if (decl && Var2Count == 0)
--- a/main.cpp
+++ b/main.cpp
@ -16,7 +16,7 @@

 //---------------------------------------------------------------------------
 bool Debug = false;
-static bool ShowWarnings = false;
+bool ShowWarnings = false;
 //---------------------------------------------------------------------------

 static void CppCheck(const char FileName[]);
--- a/testbufferoverrun7/err.msg
+++ b/testbufferoverrun7/err.msg
@ -1,3 +1,4 @@
 [testbufferoverrun7\testbufferoverrun7.cpp:5]: A string with unknown length is copied to buffer.
 [testbufferoverrun7\testbufferoverrun7.cpp:10]: A string with unknown length is copied to buffer.
 [testbufferoverrun7\testbufferoverrun7.cpp:15]: A string with unknown length is copied to buffer.
+[testbufferoverrun7\testbufferoverrun7.cpp:20]: A string with unknown length is copied to buffer.
--- a/testbufferoverrun7/testbufferoverrun7.cpp
+++ b/testbufferoverrun7/testbufferoverrun7.cpp
@ -14,3 +14,8 @@ void f3(char *str)
 {
    sprintf(buf,"%s",str);
 }
+
+void f4(const char str[])
+{
+    strcpy(buf, str);
+}