Fixed #339 (Buffer overrun not detected with pointer arrays)
http://apps.sourceforge.net/trac/cppcheck/ticket/339
This commit is contained in:
Daniel Marjamäki
parent
37a485f4f0
commit
6ef87e8eab
|
|
@ -451,13 +451,16 @@ void CheckBufferOverrunClass::CheckBufferOverrun_GlobalAndLocalVariable()
|
||||||
unsigned int varid = 0;
|
unsigned int varid = 0;
|
||||||
int nextTok = 0;
|
int nextTok = 0;
|
||||||
|
|
||||||
if (Token::Match(tok, "%type% %var% [ %num% ] [;=]"))
|
if (Token::Match(tok, "%type% *| %var% [ %num% ] [;=]"))
|
||||||
{
|
{
|
||||||
varname[0] = tok->strAt(1);
|
unsigned int varpos = 1;
|
||||||
size = std::strtoul(tok->strAt(3), NULL, 10);
|
if (tok->next()->str() == "*")
|
||||||
type = tok->str().c_str();
|
++varpos;
|
||||||
varid = tok->tokAt(1)->varId();
|
varname[0] = tok->strAt(varpos);
|
||||||
nextTok = 6;
|
size = std::strtoul(tok->strAt(varpos + 2), NULL, 10);
|
||||||
|
type = tok->strAt(varpos - 1);
|
||||||
|
varid = tok->tokAt(varpos)->varId();
|
||||||
|
nextTok = varpos + 5;
|
||||||
}
|
}
|
||||||
else if (indentlevel > 0 && Token::Match(tok, "[*;{}] %var% = new %type% [ %num% ]"))
|
else if (indentlevel > 0 && Token::Match(tok, "[*;{}] %var% = new %type% [ %num% ]"))
|
||||||
{
|
{
|
||||||
|
|
@ -480,7 +483,7 @@ void CheckBufferOverrunClass::CheckBufferOverrun_GlobalAndLocalVariable()
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
int total_size = size * _tokenizer->SizeOfType(type);
|
int total_size = size * ((*type == '*') ? 4 : _tokenizer->SizeOfType(type));
|
||||||
if (total_size == 0)
|
if (total_size == 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -85,6 +85,7 @@ private:
|
||||||
TEST_CASE(buffer_overrun_1);
|
TEST_CASE(buffer_overrun_1);
|
||||||
TEST_CASE(buffer_overrun_2);
|
TEST_CASE(buffer_overrun_2);
|
||||||
TEST_CASE(buffer_overrun_3);
|
TEST_CASE(buffer_overrun_3);
|
||||||
|
TEST_CASE(buffer_overrun_4);
|
||||||
|
|
||||||
TEST_CASE(sprintf1);
|
TEST_CASE(sprintf1);
|
||||||
TEST_CASE(snprintf1);
|
TEST_CASE(snprintf1);
|
||||||
|
|
@ -407,6 +408,8 @@ private:
|
||||||
ASSERT_EQUALS("[test.cpp:10]: (all) Array index out of bounds\n", err);
|
ASSERT_EQUALS("[test.cpp:10]: (all) Array index out of bounds\n", err);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
void buffer_overrun_1()
|
void buffer_overrun_1()
|
||||||
{
|
{
|
||||||
check("void f()\n"
|
check("void f()\n"
|
||||||
|
|
@ -448,6 +451,16 @@ private:
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void buffer_overrun_4()
|
||||||
|
{
|
||||||
|
check("void foo()\n"
|
||||||
|
"{\n"
|
||||||
|
" const char *p[2];\n"
|
||||||
|
" for (int i = 0; i < 8; ++i)\n"
|
||||||
|
" p[i] = 0;\n"
|
||||||
|
"}\n");
|
||||||
|
ASSERT_EQUALS("[test.cpp:5]: (all) Buffer overrun\n", errout.str());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue