walkero
/
cppcheck
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Buffer overflow; Fixed FPs when array size is 1

This commit is contained in:
Daniel Marjamäki 2021-05-22 12:13:39 +02:00
parent 1cb48ad418
commit 9a9f14bd8a
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lib/checkbufferoverrun.cpp
View File

@ -609,6 +609,21 @@ void CheckBufferOverrun::bufferOverflow()
const ValueFlow::Value bufferSize = getBufferSize(argtok); const ValueFlow::Value bufferSize = getBufferSize(argtok);
if (bufferSize.intvalue <= 0) if (bufferSize.intvalue <= 0)
continue; continue;
// buffer size == 1 => do not warn for dynamic memory
if (bufferSize.intvalue == 1) {
const Token *tok2 = argtok;
while (Token::simpleMatch(tok2->astParent(), "."))
tok2 = tok2->astParent();
while (Token::Match(tok2, "[|."))
tok2 = tok2->astOperand1();
const Variable *var = tok2 ? tok2->variable() : nullptr;
if (var) {
if (var->isPointer())
continue;
if (var->isArgument() && (var->isPointer() || var->isReference()))
continue;
}
}
const bool error = std::none_of(minsizes->begin(), minsizes->end(), [=](const Library::ArgumentChecks::MinSize &minsize) { const bool error = std::none_of(minsizes->begin(), minsizes->end(), [=](const Library::ArgumentChecks::MinSize &minsize) {
return checkBufferSize(tok, minsize, args, bufferSize.intvalue, mSettings); return checkBufferSize(tok, minsize, args, bufferSize.intvalue, mSettings);
}); });

11
test/testbufferoverrun.cpp
View File

@ -3672,13 +3672,20 @@ private:
check("struct Foo { char a[1]; };\n" check("struct Foo { char a[1]; };\n"
"void f() {\n" "void f() {\n"
" struct Foo *x = malloc(sizeof(Foo));\n" " struct Foo *x = malloc(sizeof(Foo));\n"
" mysprintf(x.a, \"aa\");\n" " mysprintf(x->a, \"aa\");\n"
"}", settings); "}", settings);
ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", errout.str()); TODO_ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", "", errout.str());
check("struct Foo { char a[1]; };\n" check("struct Foo { char a[1]; };\n"
"void f() {\n" "void f() {\n"
" struct Foo *x = malloc(sizeof(Foo) + 10);\n" " struct Foo *x = malloc(sizeof(Foo) + 10);\n"
" mysprintf(x->a, \"aa\");\n"
"}", settings);
ASSERT_EQUALS("", errout.str());
check("struct Foo { char a[1]; };\n"
"void f() {\n"
" struct Foo x;\n"
" mysprintf(x.a, \"aa\");\n" " mysprintf(x.a, \"aa\");\n"
"}", settings); "}", settings);
ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", errout.str()); ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", errout.str());