Fixed #339 (Buffer overrun not detected with pointer arrays)

http://apps.sourceforge.net/trac/cppcheck/ticket/339
This commit is contained in:
Daniel Marjamäki 2009-06-01 19:21:08 +02:00
parent 37a485f4f0
commit 6ef87e8eab
2 changed files with 23 additions and 7 deletions

View File

@ -451,13 +451,16 @@ void CheckBufferOverrunClass::CheckBufferOverrun_GlobalAndLocalVariable()
unsigned int varid = 0;
int nextTok = 0;
if (Token::Match(tok, "%type% %var% [ %num% ] [;=]"))
if (Token::Match(tok, "%type% *| %var% [ %num% ] [;=]"))
{
varname[0] = tok->strAt(1);
size = std::strtoul(tok->strAt(3), NULL, 10);
type = tok->str().c_str();
varid = tok->tokAt(1)->varId();
nextTok = 6;
unsigned int varpos = 1;
if (tok->next()->str() == "*")
++varpos;
varname[0] = tok->strAt(varpos);
size = std::strtoul(tok->strAt(varpos + 2), NULL, 10);
type = tok->strAt(varpos - 1);
varid = tok->tokAt(varpos)->varId();
nextTok = varpos + 5;
}
else if (indentlevel > 0 && Token::Match(tok, "[*;{}] %var% = new %type% [ %num% ]"))
{
@ -480,7 +483,7 @@ void CheckBufferOverrunClass::CheckBufferOverrun_GlobalAndLocalVariable()
continue;
}
int total_size = size * _tokenizer->SizeOfType(type);
int total_size = size * ((*type == '*') ? 4 : _tokenizer->SizeOfType(type));
if (total_size == 0)
continue;

View File

@ -85,6 +85,7 @@ private:
TEST_CASE(buffer_overrun_1);
TEST_CASE(buffer_overrun_2);
TEST_CASE(buffer_overrun_3);
TEST_CASE(buffer_overrun_4);
TEST_CASE(sprintf1);
TEST_CASE(snprintf1);
@ -407,6 +408,8 @@ private:
ASSERT_EQUALS("[test.cpp:10]: (all) Array index out of bounds\n", err);
}
void buffer_overrun_1()
{
check("void f()\n"
@ -448,6 +451,16 @@ private:
}
void buffer_overrun_4()
{
check("void foo()\n"
"{\n"
" const char *p[2];\n"
" for (int i = 0; i < 8; ++i)\n"
" p[i] = 0;\n"
"}\n");
ASSERT_EQUALS("[test.cpp:5]: (all) Buffer overrun\n", errout.str());
}