Fixed #1478 (false negative: buffer access out of bounds not detected after free and malloc)

2017-12-31 14:58:26 +01:00 · 2017-12-31 14:58:26 +01:00 · 7d2450e445
parent 79f6793076
commit 7d2450e445
2 changed files with 10 additions and 2 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -1233,8 +1233,7 @@ void CheckBufferOverrun::checkGlobalAndLocalVariable()
        const Scope * scope = symbolDatabase->functionScopes[i];

        for (const Token *tok = scope->classStart; tok != scope->classEnd; tok = tok->next()) {
-            // if the previous token exists, it must be either a variable name or "[;{}]"
-            if (tok->previous() && !Token::Match(tok->previous(), "%name%|;|{|}"))
+            if (!Token::Match(tok, "[*;{}] %var% ="))
                continue;

            // size : Max array index
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -2985,6 +2985,15 @@ private:
              "}");
        ASSERT_EQUALS("[test.cpp:3]: (error) Array 'tab4[20]' accessed at index 20, which is out of bounds.\n", errout.str());

+        // ticket #1478
+        check("void foo() {\n"
+              "    char *p = malloc(10);\n"
+              "    free(p);\n"
+              "    p = malloc(10);\n"
+              "    p[10] = 0;\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:5]: (error) Array 'p[10]' accessed at index 10, which is out of bounds.\n", errout.str());
+
        // ticket #1134
        check("void f() {\n"
              "    int *x, i;\n"