fix #3153 (false positive buffer access out-of-bounds)

2011-09-30 17:28:59 -04:00 · 2011-09-30 17:28:59 -04:00 · 65b0fb4519
parent 272783347b
commit 65b0fb4519
2 changed files with 21 additions and 1 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -1080,7 +1080,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const std::vector<std::str
            if (varid == 0)
                continue;

-            const ArrayInfo arrayInfo1(varid, varnames, size, total_size / size);
+            const ArrayInfo arrayInfo1(varid, varnames, total_size / size, size);
            checkFunctionCall(tok, arrayInfo1);
        }

--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -151,6 +151,7 @@ private:
        TEST_CASE(buffer_overrun_20); // #2986 (segmentation fault)
        TEST_CASE(buffer_overrun_21);
        TEST_CASE(buffer_overrun_22); // #3124
+        TEST_CASE(buffer_overrun_23); // #3153
        TEST_CASE(buffer_overrun_bailoutIfSwitch);  // ticket #2378 : bailoutIfSwitch
        TEST_CASE(possible_buffer_overrun_1); // #3035

@ -2299,6 +2300,25 @@ private:
        ASSERT_EQUALS("[test.cpp:7]: (error) Buffer access out-of-bounds: a.b\n", errout.str());
    }

+    void buffer_overrun_23() // ticket #3153
+    {
+        check("void foo() {\n"
+              "    double dest = 23.0;\n"
+              "    char* const source = (char*) malloc(sizeof(dest));\n"
+              "    memcpy(&dest, source + sizeof(double), sizeof(dest));\n"
+              "}\n");
+
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
+
+        check("void foo() {\n"
+              "    double dest = 23.0;\n"
+              "    char* const source = (char*) malloc(2 * sizeof(dest));\n"
+              "    memcpy(&dest, source + sizeof(double), sizeof(dest));\n"
+              "}\n");
+
+        ASSERT_EQUALS("", errout.str());
+    }
+
    void buffer_overrun_bailoutIfSwitch()
    {
        // No false positive