improve message for #3035 (false negative: strcpy(dst, src) where src is bigger than dst)
This commit is contained in:
parent
67e8731a96
commit
8c1efe9bb6
|
@ -113,11 +113,16 @@ void CheckBufferOverrun::bufferOverrun(const Token *tok, const std::string &varn
|
||||||
reportError(tok, Severity::error, "bufferAccessOutOfBounds", errmsg);
|
reportError(tok, Severity::error, "bufferAccessOutOfBounds", errmsg);
|
||||||
}
|
}
|
||||||
|
|
||||||
void CheckBufferOverrun::possibleBufferOverrunError(const Token *tok, const std::string &src, const std::string &dst)
|
void CheckBufferOverrun::possibleBufferOverrunError(const Token *tok, const std::string &src, const std::string &dst, bool cat)
|
||||||
{
|
{
|
||||||
|
if (cat)
|
||||||
reportError(tok, Severity::warning, "possibleBufferAccessOutOfBounds",
|
reportError(tok, Severity::warning, "possibleBufferAccessOutOfBounds",
|
||||||
"Possible buffer overflow if strlen(" + src + ") is larger than sizeof(" + dst + ")-strlen(" + dst +").\n"
|
"Possible buffer overflow if strlen(" + src + ") is larger than sizeof(" + dst + ")-strlen(" + dst +").\n"
|
||||||
"The source buffer is larger than the destination buffer so there is the potential for overflowing the destination buffer.");
|
"The source buffer is larger than the destination buffer so there is the potential for overflowing the destination buffer.");
|
||||||
|
else
|
||||||
|
reportError(tok, Severity::warning, "possibleBufferAccessOutOfBounds",
|
||||||
|
"Possible buffer overflow if strlen(" + src + ") is larger than or equal to sizeof(" + dst + ").\n"
|
||||||
|
"The source buffer is larger than the destination buffer so there is the potential for overflowing the destination buffer.");
|
||||||
}
|
}
|
||||||
|
|
||||||
void CheckBufferOverrun::strncatUsage(const Token *tok)
|
void CheckBufferOverrun::strncatUsage(const Token *tok)
|
||||||
|
@ -987,7 +992,7 @@ void CheckBufferOverrun::checkScope(const Token *tok, const std::vector<std::str
|
||||||
if (total_size > 0 && len > (unsigned int)total_size)
|
if (total_size > 0 && len > (unsigned int)total_size)
|
||||||
{
|
{
|
||||||
if (_settings->inconclusive)
|
if (_settings->inconclusive)
|
||||||
possibleBufferOverrunError(tok, tok->strAt(4), tok->strAt(2));
|
possibleBufferOverrunError(tok, tok->strAt(4), tok->strAt(2), tok->str() == "strcat");
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -221,7 +221,7 @@ public:
|
||||||
void cmdLineArgsError(const Token *tok);
|
void cmdLineArgsError(const Token *tok);
|
||||||
void pointerOutOfBounds(const Token *tok, const std::string &object); // UB when result of calculation is out of bounds
|
void pointerOutOfBounds(const Token *tok, const std::string &object); // UB when result of calculation is out of bounds
|
||||||
void arrayIndexThenCheckError(const Token *tok, const std::string &indexName);
|
void arrayIndexThenCheckError(const Token *tok, const std::string &indexName);
|
||||||
void possibleBufferOverrunError(const Token *tok, const std::string &src, const std::string &dst);
|
void possibleBufferOverrunError(const Token *tok, const std::string &src, const std::string &dst, bool cat);
|
||||||
|
|
||||||
void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings)
|
void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings)
|
||||||
{
|
{
|
||||||
|
@ -236,7 +236,7 @@ public:
|
||||||
c.cmdLineArgsError(0);
|
c.cmdLineArgsError(0);
|
||||||
c.pointerOutOfBounds(0, "array");
|
c.pointerOutOfBounds(0, "array");
|
||||||
c.arrayIndexThenCheckError(0, "index");
|
c.arrayIndexThenCheckError(0, "index");
|
||||||
c.possibleBufferOverrunError(0, "source", "destination");
|
c.possibleBufferOverrunError(0, "source", "destination", false);
|
||||||
}
|
}
|
||||||
|
|
||||||
std::string myName() const
|
std::string myName() const
|
||||||
|
|
|
@ -2047,6 +2047,36 @@ private:
|
||||||
" strcat(data, src);\n"
|
" strcat(data, src);\n"
|
||||||
"}");
|
"}");
|
||||||
ASSERT_EQUALS("", errout.str());
|
ASSERT_EQUALS("", errout.str());
|
||||||
|
|
||||||
|
check("void foo() {\n"
|
||||||
|
" char * data = (char *)alloca(50);\n"
|
||||||
|
" char src[100];\n"
|
||||||
|
" memset(src, 'C', 100-1);\n"
|
||||||
|
" src[100-1] = '\\0';\n"
|
||||||
|
" strcpy(data, src);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("[test.cpp:6]: (warning) Possible buffer overflow if strlen(src) is larger than or equal to sizeof(data).\n", errout.str());
|
||||||
|
|
||||||
|
check("void foo() {\n"
|
||||||
|
" char * data = (char *)alloca(100);\n"
|
||||||
|
" char src[100];\n"
|
||||||
|
" memset(src, 'C', 100-1);\n"
|
||||||
|
" src[100-1] = '\\0';\n"
|
||||||
|
" strcpy(data, src);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("", errout.str());
|
||||||
|
|
||||||
|
check("void foo(char src[100]) {\n"
|
||||||
|
" char * data = (char *)alloca(50);\n"
|
||||||
|
" strcpy(data, src);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("[test.cpp:3]: (warning) Possible buffer overflow if strlen(src) is larger than or equal to sizeof(data).\n", errout.str());
|
||||||
|
|
||||||
|
check("void foo(char src[100]) {\n"
|
||||||
|
" char * data = (char *)alloca(100);\n"
|
||||||
|
" strcpy(data, src);\n"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("", errout.str());
|
||||||
}
|
}
|
||||||
|
|
||||||
void pointer_out_of_bounds_1()
|
void pointer_out_of_bounds_1()
|
||||||
|
|
Loading…
Reference in New Issue