walkero
/
cppcheck
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

#6940 Unsigned overflow in TestBufferOverrun::negativeArraySize. Don't try to calculate size of array with negative array size

This commit is contained in:
Alexander Mai 2015-11-28 07:27:52 +01:00
parent c70b71e353
commit 44305fd98e
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/tokenize.cpp
View File

@ -3157,8 +3157,8 @@ bool Tokenizer::simplifySizeof()
{ {
// Locate variable declarations and calculate the size // Locate variable declarations and calculate the size
std::map<unsigned int, unsigned int> sizeOfVar; std::map<unsigned int, unsigned int> sizeOfVar;
std::map<unsigned int, Token *> declTokOfVar; std::map<unsigned int, const Token *> declTokOfVar;
for (Token *tok = list.front(); tok; tok = tok->next()) { for (const Token *tok = list.front(); tok; tok = tok->next()) {
if (tok->varId() != 0 && sizeOfVar.find(tok->varId()) == sizeOfVar.end()) { if (tok->varId() != 0 && sizeOfVar.find(tok->varId()) == sizeOfVar.end()) {
const unsigned int varId = tok->varId(); const unsigned int varId = tok->varId();
if (Token::Match(tok->tokAt(-3), "[;{}(,] %type% * %name% [;,)]") || if (Token::Match(tok->tokAt(-3), "[;{}(,] %type% * %name% [;,)]") ||
@ -3180,9 +3180,12 @@ bool Tokenizer::simplifySizeof()
if (size == 0) if (size == 0)
continue; continue;
Token* tok2 = tok->next(); const Token* tok2 = tok->next();
do { do {
size *= MathLib::toULongNumber(tok2->strAt(1)); const MathLib::bigint arraySize = MathLib::toLongNumber(tok2->strAt(1));
if (arraySize<0)
break; // #6940 negative number
size *= (unsigned)arraySize;
tok2 = tok2->tokAt(3); tok2 = tok2->tokAt(3);
} while (Token::Match(tok2, "[ %num% ]")); } while (Token::Match(tok2, "[ %num% ]"));
if (Token::Match(tok2, "[;=]")) { if (Token::Match(tok2, "[;=]")) {