Fixed ticket #499 (buffer overflow not detected when using macros)

sprintf() buffer overrun detection works wrong due to typo (since time
when it was added in commit a604f56f19).

Also reports buffer overrun when sprintf() writes bytes equal to
buffer size -- in this case off-by-one error appears.

http://sourceforge.net/apps/trac/cppcheck/ticket/499
This commit is contained in:
Slava Semushin 2009-07-26 19:29:46 +07:00
parent a73346e889
commit 6c022798ea
2 changed files with 10 additions and 2 deletions

View File

@ -313,7 +313,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
if (tok2->str()[0] == '\"') if (tok2->str()[0] == '\"')
{ {
len -= 2; len -= 2;
const char *str = tok->str().c_str(); const char *str = tok2->str().c_str();
while (*str) while (*str)
{ {
if (*str == '\\') if (*str == '\\')
@ -323,7 +323,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
} }
} }
} }
if (len > (int)size) if (len >= (int)size)
{ {
bufferOverrun(tok); bufferOverrun(tok);
} }

View File

@ -502,6 +502,14 @@ private:
" sprintf(str, \"%s\", \"abc\");\n" " sprintf(str, \"%s\", \"abc\");\n"
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str()); ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
check("void f()\n"
"{\n"
" char * c = new char[10];\n"
" sprintf(c, \"%s\", \"/usr/LongLongLongLongUserName/bin/LongLongApplicationName\");\n"
" delete [] c;\n"
"}\n");
ASSERT_EQUALS("[test.cpp:4]: (possible error) Buffer overrun\n", errout.str());
} }
void snprintf1() void snprintf1()