Fix #985 (Detect buffer overrun with read())

http://sourceforge.net/apps/trac/cppcheck/ticket/985
2009-11-20 23:47:06 +02:00 · 2009-11-20 23:47:06 +02:00 · 6417704577
parent 531d0fa685
commit 6417704577
2 changed files with 54 additions and 0 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -463,6 +463,32 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
            }
        }

+        // Writing data into array..
+        if (varid > 0 &&
+            Token::Match(tok, "read ( %any% , %varid% , %num% )", varid) &&
+            MathLib::isInt(tok->strAt(6)))
+        {
+            size_t len = MathLib::toLongNumber(tok->strAt(6));
+            if (len > static_cast<size_t>(size))
+            {
+                bufferOverrun(tok);
+                continue;
+            }
+        }
+
+        // Writing data into array..
+        if (varid > 0 &&
+            Token::Match(tok, "fgets ( %varid% , %num% , %any% )", varid) &&
+            MathLib::isInt(tok->strAt(4)))
+        {
+            size_t len = MathLib::toLongNumber(tok->strAt(4));
+            if (len >= static_cast<size_t>(size))
+            {
+                bufferOverrun(tok);
+                continue;
+            }
+        }
+
        // Dangerous usage of strncat..
        if (varid > 0 && Token::Match(tok, "strncat ( %varid% , %any% , %num% )", varid))
        {
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -761,6 +761,34 @@ private:
              "    strcpy(str, \"abc\");\n"
              "}\n");
        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
+
+        check("void f(int fd)\n"
+              "{\n"
+              "    char str[3];\n"
+              "    read(fd, str, 3);\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
+        check("void f(int fd)\n"
+              "{\n"
+              "    char str[3];\n"
+              "    read(fd, str, 4);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
+
+        check("void f()\n"
+              "{\n"
+              "    char str[3];\n"
+              "    fgets(str, 2, stdin);\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
+        check("void f()\n"
+              "{\n"
+              "    char str[3];\n"
+              "    fgets(str, 3, stdin);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
    }