buffer overruns: added sprintf checking

This commit is contained in:
Daniel Marjamäki 2009-01-14 06:29:35 +00:00
parent 12b248aa66
commit a604f56f19
3 changed files with 40 additions and 2 deletions

View File

@ -258,6 +258,31 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
continue;
}
// sprintf..
if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% ,", varid))
{
int len = 0;
for (const Token *tok2 = tok->tokAt(6); tok2 && tok2->str() != ")"; tok2 = tok2->next())
{
if (tok2->aaaa0() == '\"')
{
len -= 2;
const char *str = tok->strAt(0);
while (*str)
{
if (*str == '\\')
++str;
++str;
++len;
}
}
}
if (len > (int)size)
{
ReportError(ErrorMessage::bufferOverrun(_tokenizer, tok));
}
}
// Function call..
// It's not interesting to check what happens when the whole struct is

View File

@ -40,10 +40,10 @@ private:
/** Check for buffer overruns - locate struct variables and check them with the .._CheckScope function */
void CheckBufferOverrun_StructVariable();
/** Check for buffer overruns - locate local function variables and check them with the .._CheckScope function */
void CheckBufferOverrun_LocalVariable();
/** Check for buffer overruns - this is the function that performs the actual checking */
void CheckBufferOverrun_CheckScope(const Token *tok, const char *varname[], const int size, const int total_size, unsigned int varid);

View File

@ -83,6 +83,8 @@ private:
TEST_CASE(buffer_overrun_1);
TEST_CASE(buffer_overrun_2);
TEST_CASE(sprintf1);
TEST_CASE(varid1);
TEST_CASE(varid2);
}
@ -359,6 +361,17 @@ private:
}
void sprintf1()
{
check("void f()\n"
"{\n"
" char str[3];\n"
" sprintf(str, \"%s\", \"abc\");\n"
"}\n");
ASSERT_EQUALS(std::string("[test.cpp:4]: Buffer overrun\n"), errout.str());
}
void varid1()
{