Fixed #1418 (false negative: buffer access out of bounds)

2010-05-16 23:53:42 +02:00 · 2010-05-16 23:53:42 +02:00 · 71e5c56bf9
parent 20289b1f5b
commit 71e5c56bf9
2 changed files with 25 additions and 1 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -48,7 +48,7 @@ CheckBufferOverrun instance;
 void CheckBufferOverrun::arrayIndexOutOfBounds(const Token *tok, int size, int index)
 {
-    if (size <= 1)
+    if (size == 1)
        return;
    std::ostringstream errmsg;
@ -779,6 +779,17 @@ void CheckBufferOverrun::checkScope(const Token *tok, const ArrayInfo &arrayInfo
            }
        }
 		// in case %var% is declared as a pointer
 		else if (Token::Match(tok, "%var% [ %num% ]"))
 		{
 			const int index = MathLib::toLongNumber(tok->strAt(2));
 			if (index < 0)
 			{
 				arrayIndexOutOfBounds(tok, index, index);
 			}
 		}
        // Loop..
        else if (Token::simpleMatch(tok, "for ("))
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -101,6 +101,7 @@ private:
        TEST_CASE(array_index_25); // ticket #1536
        TEST_CASE(array_index_26);
        TEST_CASE(array_index_27);
        TEST_CASE(array_index_28); // ticket #1418
        TEST_CASE(array_index_multidim);
        TEST_CASE(array_index_switch_in_for);
        TEST_CASE(array_index_calculation);
@ -932,6 +933,18 @@ private:
              "}\n");
        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'a[10]' index -1 out of bounds\n", errout.str());
    }
 	void array_index_28()
    {
 		// ticket #1418
        check("void f()\n"
              "{\n"
              "    int i[2];\n"
              "    int *ip = &i[1];\n"
              "    ip[-10] = 1;\n"
              "}\n");
        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'ip[-10]' index -10 out of bounds\n", errout.str());   
    }
    void array_index_multidim()
    {