calculate array size for variable length structures with array at end in CheckBufferOverrun::checkStructVariable() when possible

This commit is contained in:
Robert Reif 2011-09-10 10:14:32 -04:00
parent 08efad13b2
commit 547a79d4fe
3 changed files with 55 additions and 12 deletions

View File

@ -1566,18 +1566,17 @@ void CheckBufferOverrun::checkStructVariable()
else else
continue; continue;
// Skip array with only 0/1 elements because those are // check for variable sized structure
// often overrun intentionally
// is variable public struct member?
if (scope->type == Scope::eStruct && var->isPublic()) if (scope->type == Scope::eStruct && var->isPublic())
{ {
// last member of a struct with array size of 0 or 1 could be a variable sized struct // last member of a struct with array size of 0 or 1 could be a variable sized structure
if (var->dimensions().size() == 1 && var->dimension(0) < 2 && if (var->dimensions().size() == 1 && var->dimension(0) < 2 &&
var->index() == (scope->varlist.size() - 1)) var->index() == (scope->varlist.size() - 1))
{ {
// dynamically allocated so could be variable sized array // dynamically allocated so could be variable sized structure
if (tok3->next()->str() == "*") if (tok3->next()->str() == "*")
{ {
// check for allocation
if ((Token::Match(tok3->tokAt(3), "; %var% = malloc ( %num% ) ;") || if ((Token::Match(tok3->tokAt(3), "; %var% = malloc ( %num% ) ;") ||
(Token::Match(tok3->tokAt(3), "; %var% = (") && (Token::Match(tok3->tokAt(3), "; %var% = (") &&
Token::Match(tok3->tokAt(6)->link(), ") malloc ( %num% ) ;"))) && Token::Match(tok3->tokAt(6)->link(), ") malloc ( %num% ) ;"))) &&
@ -1591,15 +1590,29 @@ void CheckBufferOverrun::checkStructVariable()
else else
size = MathLib::toLongNumber(tok3->strAt(8)); size = MathLib::toLongNumber(tok3->strAt(8));
if (size != 100) // magic number for size of class or struct // We don't calculate the size of a structure even when we know
// the size of the members. We just assign a length of 100 for
// any struct. If the size is less than 100, we assume the
// programmer knew the size and specified it rather than using
// sizeof(struct). If the size is greater than 100, we assume
// the programmer specified the size as sizeof(struct) + number.
// Either way, this is just a guess and could be wrong. The
// information to make the right decision has been simplified
// away by the time we get here.
if (size != 100) // magic number for size of struct
{ {
/** @todo false negatives: only true if dynamically allocated with size larger that struct */ // check if a real size was specified and give up
/** @todo false negatives: calculate real array size based on allocated size */ // malloc(10) rather than malloc(sizeof(struct))
continue; if (size < 100)
continue;
// calculate real array size based on allocated size
MathLib::bigint elements = (size - 100) / arrayInfo.element_size();
arrayInfo.num(0, arrayInfo.num(0) + elements);
} }
} }
// size unknown so assume it is a dynamically sized struct // size unknown so assume it is a variable sized structure
else else
continue; continue;
} }

View File

@ -165,6 +165,10 @@ public:
{ {
return _num[index]; return _num[index];
} }
void num(size_t index, MathLib::bigint number)
{
_num[index] = number;
}
/** size of each element */ /** size of each element */
MathLib::bigint element_size() const MathLib::bigint element_size() const

View File

@ -545,7 +545,7 @@ private:
ASSERT_EQUALS("", errout.str()); ASSERT_EQUALS("", errout.str());
// This is out of bounds because it is outside the memory allocated. // This is out of bounds because it is outside the memory allocated.
/** @todo this doesn't work because we ignore any access to this array */ /** @todo this doesn't work because of a bug in sizeof(struct) */
check("struct ABC\n" check("struct ABC\n"
"{\n" "{\n"
" char str[1];\n" " char str[1];\n"
@ -558,8 +558,21 @@ private:
"}\n"); "}\n");
TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' index 11 out of bounds\n", "", errout.str()); TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' index 11 out of bounds\n", "", errout.str());
// This is out of bounds because it is outside the memory allocated.
check("struct ABC\n"
"{\n"
" char str[1];\n"
"};\n"
"\n"
"static void f()\n"
"{\n"
" struct ABC* x = (struct ABC *)malloc(sizeof(ABC) + 10);\n"
" x->str[11] = 0;"
"}\n");
ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[11]' index 11 out of bounds\n", errout.str());
// This is out of bounds because it is outside the memory allocated // This is out of bounds because it is outside the memory allocated
/** @todo this doesn't work because we ignore any access to this array */ /** @todo this doesn't work because of a bug in sizeof(struct) */
check("struct ABC\n" check("struct ABC\n"
"{\n" "{\n"
" char str[1];\n" " char str[1];\n"
@ -572,6 +585,19 @@ private:
"}\n"); "}\n");
TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' index 1 out of bounds\n", "", errout.str()); TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' index 1 out of bounds\n", "", errout.str());
// This is out of bounds because it is outside the memory allocated
check("struct ABC\n"
"{\n"
" char str[1];\n"
"};\n"
"\n"
"static void f()\n"
"{\n"
" struct ABC* x = (struct ABC *)malloc(sizeof(ABC));\n"
" x->str[1] = 0;"
"}\n");
ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' index 1 out of bounds\n", errout.str());
// This is out of bounds because it is not a variable array // This is out of bounds because it is not a variable array
check("struct ABC\n" check("struct ABC\n"
"{\n" "{\n"