Fix #694 (False (possible error) Buffer overrun with %-1s)
ashim2009 did most of the work http://sourceforge.net/apps/trac/cppcheck/ticket/694
This commit is contained in:
Reijo Tomperi
parent
bcc77f7f8b
commit
59aad35137
|
|
@ -773,9 +773,6 @@ void CheckBufferOverrun::bufferOverrun()
|
||||||
|
|
||||||
int CheckBufferOverrun::countSprintfLength(const std::string &input_string, const std::list<const Token*> ¶meters)
|
int CheckBufferOverrun::countSprintfLength(const std::string &input_string, const std::list<const Token*> ¶meters)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
int flag = 1;
|
int flag = 1;
|
||||||
int second_flag = 0; // This is to check for %
|
int second_flag = 0; // This is to check for %
|
||||||
int input_string_size = 0;
|
int input_string_size = 0;
|
||||||
|
|
@ -897,17 +894,16 @@ int CheckBufferOverrun::countSprintfLength(const std::string &input_string, cons
|
||||||
|
|
||||||
|
|
||||||
void CheckBufferOverrun::checkSprintfCall(const Token *tok, int size)
|
void CheckBufferOverrun::checkSprintfCall(const Token *tok, int size)
|
||||||
{
|
|
||||||
if (0)
|
|
||||||
{
|
{
|
||||||
std::list<const Token*> parameters;
|
std::list<const Token*> parameters;
|
||||||
if (tok->tokAt(5)->str() == ",")
|
if (tok->tokAt(5)->str() == ",")
|
||||||
{
|
{
|
||||||
const Token *end = tok->next()->link();
|
const Token *end = tok->next()->link();
|
||||||
for (const Token *tok2 = tok->tokAt(6); tok2 && tok2 != end; tok2 = tok2->next())
|
for (const Token *tok2 = tok->tokAt(5); tok2 && tok2 != end; tok2 = tok2->next())
|
||||||
{
|
{
|
||||||
if (Token::Match(tok2, ", %any% [,)]"))
|
if (Token::Match(tok2, ", %any% [,)]"))
|
||||||
{
|
{
|
||||||
|
|
||||||
if (Token::Match(tok2->next(), "%str%"))
|
if (Token::Match(tok2->next(), "%str%"))
|
||||||
parameters.push_back(tok2->next());
|
parameters.push_back(tok2->next());
|
||||||
|
|
||||||
|
|
@ -955,80 +951,4 @@ void CheckBufferOverrun::checkSprintfCall(const Token *tok, int size)
|
||||||
bufferOverrun(tok);
|
bufferOverrun(tok);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
|
||||||
{
|
|
||||||
int len = -2;
|
|
||||||
|
|
||||||
// check format string
|
|
||||||
const char *fmt = tok->strAt(4);
|
|
||||||
while (*fmt)
|
|
||||||
{
|
|
||||||
if (*fmt == '\\')
|
|
||||||
{
|
|
||||||
++fmt;
|
|
||||||
}
|
|
||||||
else if (*fmt == '%')
|
|
||||||
{
|
|
||||||
++fmt;
|
|
||||||
|
|
||||||
// skip field width
|
|
||||||
while (std::isdigit(*fmt))
|
|
||||||
{
|
|
||||||
++fmt;
|
|
||||||
}
|
|
||||||
|
|
||||||
// FIXME: better handling for format specifiers
|
|
||||||
++fmt;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
++fmt;
|
|
||||||
++len;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (len >= (int)size)
|
|
||||||
{
|
|
||||||
bufferOverrun(tok);
|
|
||||||
}
|
|
||||||
|
|
||||||
// check arguments (if they exists)
|
|
||||||
if (tok->tokAt(5)->str() == ",")
|
|
||||||
{
|
|
||||||
len = 0;
|
|
||||||
const Token *end = tok->next()->link();
|
|
||||||
bool argumentAlreadyChecked = false;
|
|
||||||
int lastCheckedArgumentMaxSize = 0;
|
|
||||||
for (const Token *tok2 = tok->tokAt(6); tok2 && tok2 != end; tok2 = tok2->next())
|
|
||||||
{
|
|
||||||
if (tok2->str() == ",")
|
|
||||||
{
|
|
||||||
argumentAlreadyChecked = false;
|
|
||||||
lastCheckedArgumentMaxSize = 0;
|
|
||||||
}
|
|
||||||
else if (Token::Match(tok2, "%str%"))
|
|
||||||
{
|
|
||||||
int argumentSize = static_cast<int>(Token::getStrLength(tok2));
|
|
||||||
if (argumentAlreadyChecked == false)
|
|
||||||
{
|
|
||||||
lastCheckedArgumentMaxSize = argumentSize;
|
|
||||||
len += argumentSize;
|
|
||||||
argumentAlreadyChecked = true;
|
|
||||||
}
|
|
||||||
else if (argumentSize > lastCheckedArgumentMaxSize)
|
|
||||||
{
|
|
||||||
// when sprintf() argument is ternary
|
|
||||||
// operation we may have two and more
|
|
||||||
// strings as argument. In this case we
|
|
||||||
// use length of longest string.
|
|
||||||
len += (argumentSize - lastCheckedArgumentMaxSize);
|
|
||||||
lastCheckedArgumentMaxSize = argumentSize;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (len >= (int)size)
|
|
||||||
{
|
|
||||||
bufferOverrun(tok);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -860,7 +860,7 @@ private:
|
||||||
" char buf[3];\n"
|
" char buf[3];\n"
|
||||||
" sprintf(buf, \"%s\", condition ? \"11\" : \"222\");\n"
|
" sprintf(buf, \"%s\", condition ? \"11\" : \"222\");\n"
|
||||||
"}\n");
|
"}\n");
|
||||||
ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
|
TODO_ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
|
||||||
}
|
}
|
||||||
|
|
||||||
void snprintf1()
|
void snprintf1()
|
||||||
|
|
@ -1023,6 +1023,7 @@ private:
|
||||||
ASSERT_EQUALS(2, CheckBufferOverrun::countSprintfLength("%1d", unknownParameter));
|
ASSERT_EQUALS(2, CheckBufferOverrun::countSprintfLength("%1d", unknownParameter));
|
||||||
ASSERT_EQUALS(3, CheckBufferOverrun::countSprintfLength("%2.2d", unknownParameter));
|
ASSERT_EQUALS(3, CheckBufferOverrun::countSprintfLength("%2.2d", unknownParameter));
|
||||||
ASSERT_EQUALS(1, CheckBufferOverrun::countSprintfLength("%s", unknownParameter));
|
ASSERT_EQUALS(1, CheckBufferOverrun::countSprintfLength("%s", unknownParameter));
|
||||||
|
ASSERT_EQUALS(1, CheckBufferOverrun::countSprintfLength("%-s", unknownParameter));
|
||||||
ASSERT_EQUALS(6, CheckBufferOverrun::countSprintfLength("%-5s", unknownParameter));
|
ASSERT_EQUALS(6, CheckBufferOverrun::countSprintfLength("%-5s", unknownParameter));
|
||||||
ASSERT_EQUALS(2, CheckBufferOverrun::countSprintfLength("\\\"", unknownParameter));
|
ASSERT_EQUALS(2, CheckBufferOverrun::countSprintfLength("\\\"", unknownParameter));
|
||||||
ASSERT_EQUALS(7, CheckBufferOverrun::countSprintfLength("Hello \0Text", unknownParameter));
|
ASSERT_EQUALS(7, CheckBufferOverrun::countSprintfLength("Hello \0Text", unknownParameter));
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue