From 6c022798ead9d3cd26a44972788d648bb56859d8 Mon Sep 17 00:00:00 2001 From: Slava Semushin Date: Sun, 26 Jul 2009 19:29:46 +0700 Subject: [PATCH] Fixed ticket #499 (buffer overflow not detected when using macros) sprintf() buffer overrun detection works wrong due to typo (since time when it was added in commit a604f56f1960d3abe7a7c4bbc221bf62ccb676a2). Also reports buffer overrun when sprintf() writes bytes equal to buffer size -- in this case off-by-one error appears. http://sourceforge.net/apps/trac/cppcheck/ticket/499 --- src/checkbufferoverrun.cpp | 4 ++-- test/testbufferoverrun.cpp | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/checkbufferoverrun.cpp b/src/checkbufferoverrun.cpp index 7b6e09309..98bfc1b83 100644 --- a/src/checkbufferoverrun.cpp +++ b/src/checkbufferoverrun.cpp @@ -313,7 +313,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con if (tok2->str()[0] == '\"') { len -= 2; - const char *str = tok->str().c_str(); + const char *str = tok2->str().c_str(); while (*str) { if (*str == '\\') @@ -323,7 +323,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con } } } - if (len > (int)size) + if (len >= (int)size) { bufferOverrun(tok); } diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp index 77765a452..f5a9f1c57 100644 --- a/test/testbufferoverrun.cpp +++ b/test/testbufferoverrun.cpp @@ -502,6 +502,14 @@ private: " sprintf(str, \"%s\", \"abc\");\n" "}\n"); ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str()); + + check("void f()\n" + "{\n" + " char * c = new char[10];\n" + " sprintf(c, \"%s\", \"/usr/LongLongLongLongUserName/bin/LongLongApplicationName\");\n" + " delete [] c;\n" + "}\n"); + ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str()); } void snprintf1()