Bug hunting; Detect array index out of bounds in loop better

This commit is contained in:
Daniel Marjamäki 2020-12-05 20:39:54 +01:00
parent 089f193d6c
commit 7324722dab
2 changed files with 17 additions and 0 deletions

View File

@ -1675,6 +1675,10 @@ static void assignExprValue(const Token *expr, ExprEngine::ValuePtr value, Data
if (!loopAssign) if (!loopAssign)
arrayValue->assign(indexValue, value); arrayValue->assign(indexValue, value);
} }
} else {
const Token * const indexToken = expr->astOperand2();
auto indexValue = executeExpression(indexToken, data);
call(data.callbacks, indexToken, indexValue, &data);
} }
} else if (expr->isUnaryOp("*")) { } else if (expr->isUnaryOp("*")) {
auto pval = executeExpression(expr->astOperand1(), data); auto pval = executeExpression(expr->astOperand1(), data);
@ -2509,6 +2513,7 @@ static std::string execute(const Token *start, const Token *end, Data &data)
data.assignValue(tok2, varid, getValueRangeFromValueType(vartok->valueType(), data)); data.assignValue(tok2, varid, getValueRangeFromValueType(vartok->valueType(), data));
} }
} }
tok = tok->linkAt(1);
} }
if (Token::simpleMatch(tok, "} else {")) if (Token::simpleMatch(tok, "} else {"))

View File

@ -37,6 +37,7 @@ private:
LOAD_LIB_2(settings.library, "std.cfg"); LOAD_LIB_2(settings.library, "std.cfg");
TEST_CASE(checkAssignment); TEST_CASE(checkAssignment);
TEST_CASE(arrayIndexOutOfBounds1); TEST_CASE(arrayIndexOutOfBounds1);
TEST_CASE(arrayIndexOutOfBounds2);
TEST_CASE(bufferOverflowMemCmp1); TEST_CASE(bufferOverflowMemCmp1);
TEST_CASE(bufferOverflowMemCmp2); TEST_CASE(bufferOverflowMemCmp2);
TEST_CASE(bufferOverflowStrcpy1); TEST_CASE(bufferOverflowStrcpy1);
@ -82,6 +83,17 @@ private:
errout.str()); errout.str());
} }
void arrayIndexOutOfBounds2() {
check("void foo(int n) {\n"
" int p[8];"
" for (int i = 0; i < n; i++)"
" p[i] = 0;\n"
"}");
ASSERT_EQUALS("[test.cpp:2]: (error) Array index out of bounds, cannot determine that i is less than 8\n"
"[test.cpp:2]: (error) Array index out of bounds, cannot determine that i is not negative\n",
errout.str());
}
void bufferOverflowMemCmp1() { void bufferOverflowMemCmp1() {
// CVE-2020-24265 // CVE-2020-24265
check("void foo(const char *pktdata, int datalen) {\n" check("void foo(const char *pktdata, int datalen) {\n"