walkero
/
cppcheck
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Revert "Fix #11765 FN: minsize not checked for string literal, buffer… (#5235) 

… access out of bounds not found (#5154)"

This reverts commit 9ad18f51af.
This commit is contained in:
chrchr-github 2023-07-11 22:19:01 +02:00 committed by GitHub
parent 9c5275f514
commit 709fec88f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 34 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cfg/std.cfg
View File

@ -5011,6 +5011,7 @@ The obsolete function 'gets' is called. With 'gets' you'll get a buffer overrun
<arg nr="3" direction="in">
<not-null/>
<not-uninit/>
<minsize type="argvalue" arg="4"/>
<strz/>
</arg>
<arg nr="4" direction="in">
@ -5096,6 +5097,7 @@ The obsolete function 'gets' is called. With 'gets' you'll get a buffer overrun
<arg nr="3" direction="in">
<not-null/>
<not-uninit/>
<minsize type="argvalue" arg="4"/>
<strz/>
</arg>
<arg nr="4" direction="in">
@ -5211,6 +5213,7 @@ The obsolete function 'gets' is called. With 'gets' you'll get a buffer overrun
<not-null/>
<not-uninit/>
<strz/>
<minsize type="argvalue" arg="3"/>
</arg>
<arg nr="3" direction="in">
<not-uninit/>

21
lib/checkbufferoverrun.cpp
View File

@ -554,25 +554,20 @@ ValueFlow::Value CheckBufferOverrun::getBufferSize(const Token *bufTok) const
return *value;
}
MathLib::bigint dim = -1;
if (var) {
dim = std::accumulate(var->dimensions().cbegin(), var->dimensions().cend(), 1LL, [](MathLib::bigint i1, const Dimension &dim) {
return i1 * dim.num;
});
}
else if (bufTok->tokType() == Token::Type::eString) {
dim = Token::getStrLength(bufTok) + 1;
}
else
if (!var)
return ValueFlow::Value(-1);
const MathLib::bigint dim = std::accumulate(var->dimensions().cbegin(), var->dimensions().cend(), 1LL, [](MathLib::bigint i1, const Dimension &dim) {
return i1 * dim.num;
});
ValueFlow::Value v;
v.setKnown();
v.valueType = ValueFlow::Value::ValueType::BUFFER_SIZE;
if (var && var->isPointerArray())
if (var->isPointerArray())
v.intvalue = dim * mSettings->platform.sizeof_pointer;
else if (var && var->isPointer())
else if (var->isPointer())
return ValueFlow::Value(-1);
else {
const MathLib::bigint typeSize = bufTok->valueType()->typeSize(mSettings->platform);
@ -651,7 +646,7 @@ void CheckBufferOverrun::bufferOverflow()
argtok = argtok->astOperand2() ? argtok->astOperand2() : argtok->astOperand1();
while (Token::Match(argtok, ".|::"))
argtok = argtok->astOperand2();
if (!argtok || (!argtok->variable() && argtok->tokType() != Token::Type::eString))
if (!argtok || !argtok->variable())
continue;
if (argtok->valueType() && argtok->valueType()->pointer == 0)
continue;

3
test/cfg/std.c
View File

@ -219,12 +219,14 @@ void bufferAccessOutOfBounds(void)
strncpy_s(a,5,"abcd",5);
// string will be truncated, error is returned, but no buffer overflow
strncpy_s(a,5,"abcde",6);
// TODO cppcheck-suppress bufferAccessOutOfBounds
strncpy_s(a,5,"a",6);
strncpy_s(a,5,"abcdefgh",4);
// valid call
strncat_s(a,5,"1",2);
// cppcheck-suppress bufferAccessOutOfBounds
strncat_s(a,10,"1",2);
// TODO cppcheck-suppress bufferAccessOutOfBounds
strncat_s(a,5,"1",5);
fread(a,1,5,stdin);
// cppcheck-suppress bufferAccessOutOfBounds
@ -516,6 +518,7 @@ void nullpointer(int value)
wcstok(NULL,L"xyz",&pWcsUninit);
strxfrm(0,"foo",0);
// TODO: error message (#6306 and http://trac.cppcheck.net/changeset/d11eb4931aea51cf2cb74faccdcd2a3289b818d6/)
strxfrm(0,"foo",42);
wcsxfrm(0,L"foo",0);
// TODO: error message when arg1==NULL and arg3!=0 #6306: https://trac.cppcheck.net/ticket/6306#comment:2

48
test/testbufferoverrun.cpp
View File

@ -238,7 +238,6 @@ private:
TEST_CASE(buffer_overrun_34); //#11035
TEST_CASE(buffer_overrun_35); //#2304
TEST_CASE(buffer_overrun_36);
TEST_CASE(buffer_overrun_37);
TEST_CASE(buffer_overrun_errorpath);
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
TEST_CASE(buffer_overrun_function_array_argument);
@ -3325,6 +3324,23 @@ private:
" (void)strxfrm(dest,src,3);\n" // <<
"}");
ASSERT_EQUALS("[test.cpp:6]: (error) Buffer is accessed out of bounds: dest\n", errout.str());
// source size is too small
check("void f(void) {\n"
" const char src[2] = \"ab\";\n"
" char dest[3] = \"abc\";\n"
" (void)strxfrm(dest,src,1);\n"
" (void)strxfrm(dest,src,2);\n"
" (void)strxfrm(dest,src,3);\n" // <<
"}");
ASSERT_EQUALS("[test.cpp:6]: (error) Buffer is accessed out of bounds: src\n", errout.str());
// source size is too small
check("void f(void) {\n"
" const char src[1] = \"a\";\n"
" char dest[3] = \"abc\";\n"
" (void)strxfrm(dest,src,1);\n"
" (void)strxfrm(dest,src,2);\n" // <<
"}");
ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds: src\n", errout.str());
}
void buffer_overrun_33() { // #2019
@ -3387,32 +3403,6 @@ private:
ASSERT_EQUALS("", errout.str());
}
void buffer_overrun_37() { // #11765
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, \"Error\", 6);\n"
"}\n");
ASSERT_EQUALS("", errout.str());
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, \"Error\", 16);\n"
"}\n");
ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: \"Error\"\n", errout.str());
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, L\"Error\", 10);\n" // at least 12 bytes on any platform
"}\n");
ASSERT_EQUALS("", errout.str());
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, L\"Error\", 26);\n" // at most 24 bytes
"}\n");
ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: L\"Error\"\n", errout.str());
}
void buffer_overrun_errorpath() {
setMultiline();
const Settings settingsOld = settings0;
@ -4275,7 +4265,9 @@ private:
check("void f() {\n"
" mymemset(\"abc\", 0, 20);\n"
"}", settings);
ASSERT_EQUALS("[test.cpp:2]: (error) Buffer is accessed out of bounds: \"abc\"\n", errout.str());
TODO_ASSERT_EQUALS("[test.cpp:2]: (error) Buffer is accessed out of bounds.\n",
"",
errout.str());
check("void f() {\n"
" mymemset(temp, \"abc\", 4);\n"