Fix #2304 FN known strcpy parameter (#4396)

* Fix #2304 FN known strcpy parameter * Parentheses * Format
2022-08-24 21:23:45 +02:00 · 2022-08-24 21:23:45 +02:00 · 456c6b410e
parent 94322d6e0a
commit 456c6b410e
3 changed files with 15 additions and 5 deletions
--- a/lib/valueflow.cpp
+++ b/lib/valueflow.cpp
@ -1194,7 +1194,8 @@ static Token * valueFlowSetConstantValue(Token *tok, const Settings *settings, b
        setTokenValue(tok, value, settings);
    } else if (Token::simpleMatch(tok, "sizeof (")) {
        if (tok->next()->astOperand2() && !tok->next()->astOperand2()->isLiteral() && tok->next()->astOperand2()->valueType() &&
-            tok->next()->astOperand2()->valueType()->pointer == 0 && // <- TODO this is a bailout, abort when there are array->pointer conversions
+            (tok->next()->astOperand2()->valueType()->pointer == 0 || // <- TODO this is a bailout, abort when there are array->pointer conversions
+             (tok->next()->astOperand2()->variable() && !tok->next()->astOperand2()->variable()->isArray())) &&
            !tok->next()->astOperand2()->valueType()->isEnum()) { // <- TODO this is a bailout, handle enum with non-int types
            const size_t sz = ValueFlow::getSizeOf(*tok->next()->astOperand2()->valueType(), settings);
            if (sz) {
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -249,6 +249,7 @@ private:
        TEST_CASE(buffer_overrun_32); //#10244
        TEST_CASE(buffer_overrun_33); //#2019
        TEST_CASE(buffer_overrun_34); //#11035
+        TEST_CASE(buffer_overrun_35); //#2304
        TEST_CASE(buffer_overrun_errorpath);
        TEST_CASE(buffer_overrun_bailoutIfSwitch);  // ticket #2378 : bailoutIfSwitch
        TEST_CASE(buffer_overrun_function_array_argument);
@ -3194,9 +3195,7 @@ private:
        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'z[16]' accessed at index 19, which is out of bounds.\n", errout.str());
    }

-    // #11035
-    void buffer_overrun_34()
-    {
+    void buffer_overrun_34() { // #11035
        check("struct S {\n"
              "    std::vector<int> v;\n"
              "    int a[15] = {};\n"
@ -3210,6 +3209,16 @@ private:
        ASSERT_EQUALS("", errout.str());
    }

+    void buffer_overrun_35() { // #2304
+        check("void f() {\n"
+              "    char* q = \"0123456789\";\n"
+              "    char* p = (char*)malloc(sizeof(q) + 1);\n"
+              "    strcpy(p, q);\n"
+              "    free(p);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: p\n", errout.str());
+    }
+
    void buffer_overrun_errorpath() {
        setMultiline();
        settings0.templateLocation = "{file}:{line}:note:{info}";
--- a/test/testsimplifytokens.cpp
+++ b/test/testsimplifytokens.cpp
@ -141,7 +141,7 @@ private:
        // FIXME Does expression id handle these? TEST_CASE(simplifyKnownVariables29);    // ticket #1811
        TEST_CASE(simplifyKnownVariables30);
        TEST_CASE(simplifyKnownVariables34);
-        TEST_CASE(simplifyKnownVariables36);    // ticket #2304 - known value for strcpy parameter
+        TEST_CASE(simplifyKnownVariables36);    // ticket #5972
        TEST_CASE(simplifyKnownVariables42);    // ticket #2031 - known string value after strcpy
        TEST_CASE(simplifyKnownVariables43);
        TEST_CASE(simplifyKnownVariables44);    // ticket #3117 - don't simplify static variables