Fix #11586 FP ctuArrayIndex with unknown typedef (#4831)

This commit is contained in:
chrchr-github 2023-03-02 21:19:53 +01:00 committed by GitHub
parent 7f62d8ff98
commit 51c5a79150
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 2 deletions

View File

@ -365,7 +365,8 @@ CTU::FileInfo *CTU::getFileInfo(const Tokenizer *tokenizer)
functionCall.location = FileInfo::Location(tokenizer, tok); functionCall.location = FileInfo::Location(tokenizer, tok);
functionCall.callArgNr = argnr + 1; functionCall.callArgNr = argnr + 1;
functionCall.callArgumentExpression = argtok->expressionString(); functionCall.callArgumentExpression = argtok->expressionString();
functionCall.callArgValue = argtok->variable()->dimension(0) * argtok->valueType()->typeSize(*tokenizer->getSettings()); const auto typeSize = argtok->valueType()->typeSize(*tokenizer->getSettings());
functionCall.callArgValue = typeSize > 0 ? argtok->variable()->dimension(0) * typeSize : -1;
functionCall.warning = false; functionCall.warning = false;
fileInfo->functionCalls.push_back(std::move(functionCall)); fileInfo->functionCalls.push_back(std::move(functionCall));
} }
@ -528,7 +529,7 @@ static bool findPath(const std::string &callId,
case CTU::FileInfo::InvalidValueType::bufferOverflow: case CTU::FileInfo::InvalidValueType::bufferOverflow:
if (functionCall->callValueType != ValueFlow::Value::ValueType::BUFFER_SIZE) if (functionCall->callValueType != ValueFlow::Value::ValueType::BUFFER_SIZE)
continue; continue;
if (unsafeValue < 0 || unsafeValue >= functionCall->callArgValue) if (unsafeValue < 0 || (unsafeValue >= functionCall->callArgValue && functionCall->callArgValue >= 0))
break; break;
continue; continue;
} }

View File

@ -5236,6 +5236,13 @@ private:
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:4] -> [test.cpp:1]: (error) Array index out of bounds; 'argv' buffer size is 1 and it is accessed at offset 5.\n", ASSERT_EQUALS("[test.cpp:4] -> [test.cpp:1]: (error) Array index out of bounds; 'argv' buffer size is 1 and it is accessed at offset 5.\n",
errout.str()); errout.str());
ctu("void g(int *b) { b[0] = 0; }\n"
"void f() {\n"
" GLint a[1];\n"
" g(a);\n"
"}\n");
ASSERT_EQUALS("", errout.str());
} }
void ctu_variable() { void ctu_variable() {