Fix #11765 FN: minsize not checked for string literal, buffer access out of bounds not found (#5154)

This commit is contained in:
chrchr-github 2023-07-08 14:46:32 +02:00 committed by GitHub
parent 49b79b7674
commit 9ad18f51af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 41 additions and 34 deletions

View File

@ -5011,7 +5011,6 @@ The obsolete function 'gets' is called. With 'gets' you'll get a buffer overrun
<arg nr="3" direction="in">
<not-null/>
<not-uninit/>
<minsize type="argvalue" arg="4"/>
<strz/>
</arg>
<arg nr="4" direction="in">
@ -5097,7 +5096,6 @@ The obsolete function 'gets' is called. With 'gets' you'll get a buffer overrun
<arg nr="3" direction="in">
<not-null/>
<not-uninit/>
<minsize type="argvalue" arg="4"/>
<strz/>
</arg>
<arg nr="4" direction="in">
@ -5213,7 +5211,6 @@ The obsolete function 'gets' is called. With 'gets' you'll get a buffer overrun
<not-null/>
<not-uninit/>
<strz/>
<minsize type="argvalue" arg="3"/>
</arg>
<arg nr="3" direction="in">
<not-uninit/>

View File

@ -554,20 +554,25 @@ ValueFlow::Value CheckBufferOverrun::getBufferSize(const Token *bufTok) const
return *value;
}
if (!var)
return ValueFlow::Value(-1);
const MathLib::bigint dim = std::accumulate(var->dimensions().cbegin(), var->dimensions().cend(), 1LL, [](MathLib::bigint i1, const Dimension &dim) {
MathLib::bigint dim = -1;
if (var) {
dim = std::accumulate(var->dimensions().cbegin(), var->dimensions().cend(), 1LL, [](MathLib::bigint i1, const Dimension &dim) {
return i1 * dim.num;
});
}
else if (bufTok->tokType() == Token::Type::eString) {
dim = Token::getStrLength(bufTok) + 1;
}
else
return ValueFlow::Value(-1);
ValueFlow::Value v;
v.setKnown();
v.valueType = ValueFlow::Value::ValueType::BUFFER_SIZE;
if (var->isPointerArray())
if (var && var->isPointerArray())
v.intvalue = dim * mSettings->platform.sizeof_pointer;
else if (var->isPointer())
else if (var && var->isPointer())
return ValueFlow::Value(-1);
else {
const MathLib::bigint typeSize = bufTok->valueType()->typeSize(mSettings->platform);
@ -646,7 +651,7 @@ void CheckBufferOverrun::bufferOverflow()
argtok = argtok->astOperand2() ? argtok->astOperand2() : argtok->astOperand1();
while (Token::Match(argtok, ".|::"))
argtok = argtok->astOperand2();
if (!argtok || !argtok->variable())
if (!argtok || (!argtok->variable() && argtok->tokType() != Token::Type::eString))
continue;
if (argtok->valueType() && argtok->valueType()->pointer == 0)
continue;

View File

@ -219,14 +219,12 @@ void bufferAccessOutOfBounds(void)
strncpy_s(a,5,"abcd",5);
// string will be truncated, error is returned, but no buffer overflow
strncpy_s(a,5,"abcde",6);
// TODO cppcheck-suppress bufferAccessOutOfBounds
strncpy_s(a,5,"a",6);
strncpy_s(a,5,"abcdefgh",4);
// valid call
strncat_s(a,5,"1",2);
// cppcheck-suppress bufferAccessOutOfBounds
strncat_s(a,10,"1",2);
// TODO cppcheck-suppress bufferAccessOutOfBounds
strncat_s(a,5,"1",5);
fread(a,1,5,stdin);
// cppcheck-suppress bufferAccessOutOfBounds
@ -518,7 +516,6 @@ void nullpointer(int value)
wcstok(NULL,L"xyz",&pWcsUninit);
strxfrm(0,"foo",0);
// TODO: error message (#6306 and http://trac.cppcheck.net/changeset/d11eb4931aea51cf2cb74faccdcd2a3289b818d6/)
strxfrm(0,"foo",42);
wcsxfrm(0,L"foo",0);
// TODO: error message when arg1==NULL and arg3!=0 #6306: https://trac.cppcheck.net/ticket/6306#comment:2

View File

@ -238,6 +238,7 @@ private:
TEST_CASE(buffer_overrun_34); //#11035
TEST_CASE(buffer_overrun_35); //#2304
TEST_CASE(buffer_overrun_36);
TEST_CASE(buffer_overrun_37);
TEST_CASE(buffer_overrun_errorpath);
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
TEST_CASE(buffer_overrun_function_array_argument);
@ -3324,23 +3325,6 @@ private:
" (void)strxfrm(dest,src,3);\n" // <<
"}");
ASSERT_EQUALS("[test.cpp:6]: (error) Buffer is accessed out of bounds: dest\n", errout.str());
// source size is too small
check("void f(void) {\n"
" const char src[2] = \"ab\";\n"
" char dest[3] = \"abc\";\n"
" (void)strxfrm(dest,src,1);\n"
" (void)strxfrm(dest,src,2);\n"
" (void)strxfrm(dest,src,3);\n" // <<
"}");
ASSERT_EQUALS("[test.cpp:6]: (error) Buffer is accessed out of bounds: src\n", errout.str());
// source size is too small
check("void f(void) {\n"
" const char src[1] = \"a\";\n"
" char dest[3] = \"abc\";\n"
" (void)strxfrm(dest,src,1);\n"
" (void)strxfrm(dest,src,2);\n" // <<
"}");
ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds: src\n", errout.str());
}
void buffer_overrun_33() { // #2019
@ -3403,6 +3387,32 @@ private:
ASSERT_EQUALS("", errout.str());
}
void buffer_overrun_37() { // #11765
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, \"Error\", 6);\n"
"}\n");
ASSERT_EQUALS("", errout.str());
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, \"Error\", 16);\n"
"}\n");
ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: \"Error\"\n", errout.str());
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, L\"Error\", 10);\n" // at least 12 bytes on any platform
"}\n");
ASSERT_EQUALS("", errout.str());
check("void f() {\n"
" char buf[128];\n"
" memcpy(buf, L\"Error\", 26);\n" // at most 24 bytes
"}\n");
ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: L\"Error\"\n", errout.str());
}
void buffer_overrun_errorpath() {
setMultiline();
const Settings settingsOld = settings0;
@ -4265,9 +4275,7 @@ private:
check("void f() {\n"
" mymemset(\"abc\", 0, 20);\n"
"}", settings);
TODO_ASSERT_EQUALS("[test.cpp:2]: (error) Buffer is accessed out of bounds.\n",
"",
errout.str());
ASSERT_EQUALS("[test.cpp:2]: (error) Buffer is accessed out of bounds: \"abc\"\n", errout.str());
check("void f() {\n"
" mymemset(temp, \"abc\", 4);\n"