CheckBufferOverrun: Detect overflows when buffer is allocated with alloca

2011-07-17 09:35:51 +02:00 · 2011-07-17 09:35:51 +02:00 · 7dcb68f5a4
parent 481be84004
commit 7dcb68f5a4
2 changed files with 13 additions and 1 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -1302,7 +1302,7 @@ void CheckBufferOverrun::checkGlobalAndLocalVariable()
            varid = tok->next()->varId();
            nextTok = 4;
        }
-        else if (indentlevel > 0 && Token::Match(tok, "[*;{}] %var% = malloc ( %num% ) ;"))
+        else if (indentlevel > 0 && Token::Match(tok, "[*;{}] %var% = malloc|alloca ( %num% ) ;"))
        {
            size = MathLib::toLongNumber(tok->strAt(5));
            type = "char";   // minimum type, typesize=1
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -187,6 +187,7 @@ private:
        TEST_CASE(alloc1);    // Buffer allocated with new
        TEST_CASE(alloc2);    // Buffer allocated with malloc
        TEST_CASE(alloc3);    // statically allocated buffer
+        TEST_CASE(alloc4);    // Buffer allocated with alloca
        TEST_CASE(malloc_memset);	// using memset on buffer allocated with malloc

        TEST_CASE(memset1);
@ -2478,6 +2479,17 @@ private:
        ASSERT_EQUALS("[test.cpp:4]: (error) Array 's[1]' index 10 out of bounds\n", errout.str());
    }

+    // data is allocated with alloca
+    void alloc4()
+    {
+        check("void foo()\n"
+              "{\n"
+              "    char *s = (char *)alloca(10);\n"
+              "    s[10] = 0;\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Array 's[10]' index 10 out of bounds\n", errout.str());
+    }
+
    void malloc_memset()
    {
        check("void f() {\n"