Fixed #1418 (false negative: buffer access out of bounds)

2010-05-16 23:53:42 +02:00 · 2010-05-16 23:53:42 +02:00 · 71e5c56bf9
parent 20289b1f5b
commit 71e5c56bf9
2 changed files with 25 additions and 1 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -48,7 +48,7 @@ CheckBufferOverrun instance;

 void CheckBufferOverrun::arrayIndexOutOfBounds(const Token *tok, int size, int index)
 {
-    if (size <= 1)
+    if (size == 1)
        return;

    std::ostringstream errmsg;
@ -779,6 +779,17 @@ void CheckBufferOverrun::checkScope(const Token *tok, const ArrayInfo &arrayInfo
            }

        }
+		
+		// in case %var% is declared as a pointer
+		else if (Token::Match(tok, "%var% [ %num% ]"))
+		{
+			const int index = MathLib::toLongNumber(tok->strAt(2));
+			if (index < 0)
+			{
+				arrayIndexOutOfBounds(tok, index, index);
+			}
+			
+		}

        // Loop..
        else if (Token::simpleMatch(tok, "for ("))
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -101,6 +101,7 @@ private:
        TEST_CASE(array_index_25); // ticket #1536
        TEST_CASE(array_index_26);
        TEST_CASE(array_index_27);
+        TEST_CASE(array_index_28); // ticket #1418
        TEST_CASE(array_index_multidim);
        TEST_CASE(array_index_switch_in_for);
        TEST_CASE(array_index_calculation);
@ -932,6 +933,18 @@ private:
              "}\n");
        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'a[10]' index -1 out of bounds\n", errout.str());
    }
+	
+	void array_index_28()
+    {
+		// ticket #1418
+        check("void f()\n"
+              "{\n"
+              "    int i[2];\n"
+              "    int *ip = &i[1];\n"
+              "    ip[-10] = 1;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'ip[-10]' index -10 out of bounds\n", errout.str());   
+    }

    void array_index_multidim()
    {