Fixed #339 (Buffer overrun not detected with pointer arrays)

http://apps.sourceforge.net/trac/cppcheck/ticket/339
2009-06-01 19:21:08 +02:00 · 2009-06-01 19:21:08 +02:00 · 6ef87e8eab
parent 37a485f4f0
commit 6ef87e8eab
2 changed files with 23 additions and 7 deletions
--- a/src/checkbufferoverrun.cpp
+++ b/src/checkbufferoverrun.cpp
@ -451,13 +451,16 @@ void CheckBufferOverrunClass::CheckBufferOverrun_GlobalAndLocalVariable()
        unsigned int varid = 0;
        int nextTok = 0;

-        if (Token::Match(tok, "%type% %var% [ %num% ] [;=]"))
+        if (Token::Match(tok, "%type% *| %var% [ %num% ] [;=]"))
        {
-            varname[0] = tok->strAt(1);
-            size = std::strtoul(tok->strAt(3), NULL, 10);
-            type = tok->str().c_str();
-            varid = tok->tokAt(1)->varId();
-            nextTok = 6;
+            unsigned int varpos = 1;
+            if (tok->next()->str() == "*")
+                ++varpos;
+            varname[0] = tok->strAt(varpos);
+            size = std::strtoul(tok->strAt(varpos + 2), NULL, 10);
+            type = tok->strAt(varpos - 1);
+            varid = tok->tokAt(varpos)->varId();
+            nextTok = varpos + 5;
        }
        else if (indentlevel > 0 && Token::Match(tok, "[*;{}] %var% = new %type% [ %num% ]"))
        {
@ -480,7 +483,7 @@ void CheckBufferOverrunClass::CheckBufferOverrun_GlobalAndLocalVariable()
            continue;
        }

-        int total_size = size * _tokenizer->SizeOfType(type);
+        int total_size = size * ((*type == '*') ? 4 : _tokenizer->SizeOfType(type));
        if (total_size == 0)
            continue;

--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -85,6 +85,7 @@ private:
        TEST_CASE(buffer_overrun_1);
        TEST_CASE(buffer_overrun_2);
        TEST_CASE(buffer_overrun_3);
+        TEST_CASE(buffer_overrun_4);

        TEST_CASE(sprintf1);
        TEST_CASE(snprintf1);
@ -407,6 +408,8 @@ private:
        ASSERT_EQUALS("[test.cpp:10]: (all) Array index out of bounds\n", err);
    }

+
+
    void buffer_overrun_1()
    {
        check("void f()\n"
@ -448,6 +451,16 @@ private:
    }


+    void buffer_overrun_4()
+    {
+        check("void foo()\n"
+              "{\n"
+              "    const char *p[2];\n"
+              "    for (int i = 0; i < 8; ++i)\n"
+              "        p[i] = 0;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:5]: (all) Buffer overrun\n", errout.str());
+    }