Added a test for out-of-bounds character array access.
This commit is contained in:
parent
ae6c97eb39
commit
966491d40b
|
@ -1439,13 +1439,12 @@ void CheckBufferOverrun::checkGlobalAndLocalVariable()
|
||||||
// check string literals
|
// check string literals
|
||||||
for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) {
|
for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) {
|
||||||
if (Token::Match(tok, "%str% [ %num% ]")) {
|
if (Token::Match(tok, "%str% [ %num% ]")) {
|
||||||
std::string str = tok->strValue();
|
const std::size_t strLen = tok->str().size() - 2; // Don't count enclosing quotes
|
||||||
std::size_t index = (std::size_t)std::atoi(tok->strAt(2).c_str());
|
const std::size_t index = (std::size_t)std::atoi(tok->strAt(2).c_str());
|
||||||
if (index > str.length()) {
|
if (index > strLen)
|
||||||
bufferOverrunError(tok, tok->str());
|
bufferOverrunError(tok, tok->str());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// check all known fixed size arrays first by just looking them up
|
// check all known fixed size arrays first by just looking them up
|
||||||
const SymbolDatabase* symbolDatabase = _tokenizer->getSymbolDatabase();
|
const SymbolDatabase* symbolDatabase = _tokenizer->getSymbolDatabase();
|
||||||
|
|
|
@ -169,6 +169,7 @@ private:
|
||||||
TEST_CASE(buffer_overrun_25); // #4096
|
TEST_CASE(buffer_overrun_25); // #4096
|
||||||
TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault)
|
TEST_CASE(buffer_overrun_26); // #4432 (segmentation fault)
|
||||||
TEST_CASE(buffer_overrun_27); // #4444 (segmentation fault)
|
TEST_CASE(buffer_overrun_27); // #4444 (segmentation fault)
|
||||||
|
TEST_CASE(buffer_overrun_28); // Out of bound char array access
|
||||||
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
|
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
|
||||||
TEST_CASE(buffer_overrun_function_array_argument);
|
TEST_CASE(buffer_overrun_function_array_argument);
|
||||||
TEST_CASE(possible_buffer_overrun_1); // #3035
|
TEST_CASE(possible_buffer_overrun_1); // #3035
|
||||||
|
@ -2719,6 +2720,11 @@ private:
|
||||||
ASSERT_EQUALS("", errout.str());
|
ASSERT_EQUALS("", errout.str());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void buffer_overrun_28() {
|
||||||
|
check("char c = \"abc\"[4];");
|
||||||
|
ASSERT_EQUALS("[test.cpp:1]: (error) Buffer is accessed out of bounds: \"abc\"\n", errout.str());
|
||||||
|
}
|
||||||
|
|
||||||
void buffer_overrun_bailoutIfSwitch() {
|
void buffer_overrun_bailoutIfSwitch() {
|
||||||
// No false positive
|
// No false positive
|
||||||
check("void f1(char *s) {\n"
|
check("void f1(char *s) {\n"
|
||||||
|
|
Loading…
Reference in New Issue