Fixed ##3211 (Crash in gitHEAD when arglist count is smaller than format string)
This commit is contained in:
PKEuS
Daniel Marjamäki
parent
8afc1b6f2d
commit
71a1d98693
|
|
@ -141,18 +141,24 @@ void CheckNullPointer::parseFunctionCall(const Token &tok, std::list<const Token
|
||||||
if (*i == '%') {
|
if (*i == '%') {
|
||||||
percent = !percent;
|
percent = !percent;
|
||||||
} else if (percent && std::isalpha(*i)) {
|
} else if (percent && std::isalpha(*i)) {
|
||||||
if (*i == 'n' || *i == 's' || scan) {
|
if ((*i == 'n' || *i == 's' || scan) && (!scan || value == 0)) {
|
||||||
if ((value == 0 && argListTok->str() == "0") || (Token::Match(argListTok, "%var%") && argListTok->varId() > 0)) {
|
if ((value == 0 && argListTok->str() == "0") || (Token::Match(argListTok, "%var%") && argListTok->varId() > 0)) {
|
||||||
var.push_back(argListTok);
|
var.push_back(argListTok);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (; argListTok; argListTok = argListTok->next()) { // Find next argument
|
for (; argListTok; argListTok = argListTok->next()) { // Find next argument
|
||||||
|
if (argListTok->str() == "(")
|
||||||
|
argListTok = argListTok->link();
|
||||||
|
if(argListTok == 0)
|
||||||
|
break;
|
||||||
if (argListTok->str() == ",") {
|
if (argListTok->str() == ",") {
|
||||||
argListTok = argListTok->next();
|
argListTok = argListTok->next();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if(!argListTok)
|
||||||
|
break;
|
||||||
percent = false;
|
percent = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1406,8 +1406,38 @@ private:
|
||||||
" printf(\"%s\", s);\n"
|
" printf(\"%s\", s);\n"
|
||||||
"}");
|
"}");
|
||||||
ASSERT_EQUALS("", errout.str());
|
ASSERT_EQUALS("", errout.str());
|
||||||
|
|
||||||
|
check("void f(char* foo) {\n"
|
||||||
|
" char location[200];\n"
|
||||||
|
" int width, height;\n"
|
||||||
|
" sscanf(imgInfo, \"%s %d %d\", location, &width, &height);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("", errout.str()); // ticket #3207
|
||||||
|
|
||||||
|
check("void f(char *dummy) {\n"
|
||||||
|
" int iVal;\n"
|
||||||
|
" sscanf(dummy, \"%d%c\", &iVal);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("", errout.str()); // ticket #3211
|
||||||
|
|
||||||
|
check("void f(char *dummy) {\n"
|
||||||
|
" int* iVal = 0;\n"
|
||||||
|
" sscanf(dummy, \"%d\", iVal);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("[test.cpp:3]: (error) Possible null pointer dereference: iVal\n", errout.str());
|
||||||
|
|
||||||
|
check("void f(char *dummy) {\n"
|
||||||
|
" int* iVal;\n"
|
||||||
|
" sscanf(dummy, \"%d\", foo(iVal));\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("", errout.str());
|
||||||
|
|
||||||
|
check("void f(char *dummy) {\n"
|
||||||
|
" int* iVal = 0;\n"
|
||||||
|
" sscanf(dummy, \"%d%d\", foo(iVal), iVal);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("[test.cpp:3]: (error) Possible null pointer dereference: iVal\n", errout.str());
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
REGISTER_TEST(TestNullPointer)
|
REGISTER_TEST(TestNullPointer)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue