walkero
/
cppcheck
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fixed #3933 (Negative array index issue (because sizeof struct is assumed to be 100))

This commit is contained in:
Daniel Marjamäki 2012-09-16 08:20:43 +02:00
parent 3368514e7e
commit a99515ca91
3 changed files with 9 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/tokenize.cpp
View File

@ -3035,14 +3035,6 @@ void Tokenizer::createLinks2()
bool Tokenizer::simplifySizeof() bool Tokenizer::simplifySizeof()
{ {
for (Token *tok = list.front(); tok; tok = tok->next()) {
if (Token::Match(tok, "class|struct %var%")) {
// we assume that the size of structs and classes are always
// 100 bytes.
_typeSize[tok->next()->str()] = 100;
}
}
// Locate variable declarations and calculate the size // Locate variable declarations and calculate the size
std::map<unsigned int, std::string> sizeOfVar; std::map<unsigned int, std::string> sizeOfVar;
for (Token *tok = list.front(); tok; tok = tok->next()) { for (Token *tok = list.front(); tok; tok = tok->next()) {
@ -3060,10 +3052,6 @@ bool Tokenizer::simplifySizeof()
sizeOfVar[varId] = MathLib::longToString(size); sizeOfVar[varId] = MathLib::longToString(size);
} }
else if (Token::Match(tok->tokAt(-3), "[;{}(,] struct %type% %var% [;,)]")) {
sizeOfVar[varId] = "100";
}
else if (Token::Match(tok->previous(), "%type% %var% [ %num% ] [;=]") || else if (Token::Match(tok->previous(), "%type% %var% [ %num% ] [;=]") ||
Token::Match(tok->tokAt(-2), "%type% * %var% [ %num% ] [;=]")) { Token::Match(tok->tokAt(-2), "%type% * %var% [ %num% ] [;=]")) {
const unsigned int size = sizeOfType(tok->previous()); const unsigned int size = sizeOfType(tok->previous());

13
test/testbufferoverrun.cpp
View File

@ -563,7 +563,7 @@ private:
"}\n"); "}\n");
TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' accessed at index 11, which is out of bounds.\n", "", errout.str()); TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' accessed at index 11, which is out of bounds.\n", "", errout.str());
// This is out of bounds because it is outside the memory allocated. // This is out of bounds if 'sizeof(ABC)' is 1 (No padding)
check("struct ABC\n" check("struct ABC\n"
"{\n" "{\n"
" char str[1];\n" " char str[1];\n"
@ -574,7 +574,7 @@ private:
" struct ABC* x = (struct ABC *)malloc(sizeof(ABC) + 10);\n" " struct ABC* x = (struct ABC *)malloc(sizeof(ABC) + 10);\n"
" x->str[11] = 0;" " x->str[11] = 0;"
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:9]: (error) Array 'x.str[11]' accessed at index 11, which is out of bounds.\n", errout.str()); TODO_ASSERT_EQUALS("error", "", errout.str());
// This is out of bounds because it is outside the memory allocated // This is out of bounds because it is outside the memory allocated
/** @todo this doesn't work because of a bug in sizeof(struct) */ /** @todo this doesn't work because of a bug in sizeof(struct) */
@ -591,6 +591,7 @@ private:
TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' accessed at index 1, which is out of bounds.\n", "", errout.str()); TODO_ASSERT_EQUALS("[test.cpp:9]: (error) Array 'str[1]' accessed at index 1, which is out of bounds.\n", "", errout.str());
// This is out of bounds because it is outside the memory allocated // This is out of bounds because it is outside the memory allocated
// But only if 'sizeof(ABC)' is 1 (No padding)
check("struct ABC\n" check("struct ABC\n"
"{\n" "{\n"
" char str[1];\n" " char str[1];\n"
@ -601,7 +602,7 @@ private:
" struct ABC* x = (struct ABC *)malloc(sizeof(ABC));\n" " struct ABC* x = (struct ABC *)malloc(sizeof(ABC));\n"
" x->str[1] = 0;" " x->str[1] = 0;"
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:9]: (error) Array 'x.str[1]' accessed at index 1, which is out of bounds.\n", errout.str()); TODO_ASSERT_EQUALS("error", "", errout.str());
// This is out of bounds because it is not a variable array // This is out of bounds because it is not a variable array
check("struct ABC\n" check("struct ABC\n"
@ -2791,6 +2792,7 @@ private:
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds.\n", errout.str()); ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds.\n", errout.str());
// This is out of bounds if 'sizeof(ABC)' is 1 (No padding)
check("struct Foo { char a[1]; };\n" check("struct Foo { char a[1]; };\n"
"void f()\n" "void f()\n"
"{\n" "{\n"
@ -2798,7 +2800,7 @@ private:
" sprintf(x.a, \"aa\");\n" " sprintf(x.a, \"aa\");\n"
" free(x);\n" " free(x);\n"
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds.\n", errout.str()); TODO_ASSERT_EQUALS("error", "", errout.str());
check("struct Foo { char a[1]; };\n" check("struct Foo { char a[1]; };\n"
"void f()\n" "void f()\n"
@ -2883,6 +2885,7 @@ private:
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:5]: (error) snprintf size is out of bounds: Supplied size 2 is larger than actual size 1.\n", errout.str()); ASSERT_EQUALS("[test.cpp:5]: (error) snprintf size is out of bounds: Supplied size 2 is larger than actual size 1.\n", errout.str());
// This is out of bounds if 'sizeof(ABC)' is 1 (No padding)
check("struct Foo { char a[1]; };\n" check("struct Foo { char a[1]; };\n"
"void f()\n" "void f()\n"
"{\n" "{\n"
@ -2890,7 +2893,7 @@ private:
" snprintf(x.a, 2, \"aa\");\n" " snprintf(x.a, 2, \"aa\");\n"
" free(x);\n" " free(x);\n"
"}\n"); "}\n");
ASSERT_EQUALS("[test.cpp:5]: (error) snprintf size is out of bounds: Supplied size 2 is larger than actual size 1.\n", errout.str()); TODO_ASSERT_EQUALS("error", "", errout.str());
check("struct Foo { char a[1]; };\n" check("struct Foo { char a[1]; };\n"
"void f()\n" "void f()\n"

13
test/testsimplifytokens.cpp
View File

@ -65,7 +65,6 @@ private:
TEST_CASE(elseif1); TEST_CASE(elseif1);
TEST_CASE(ifa_ifa); // "if (a) { if (a) .." => "if (a) { if (1) .." TEST_CASE(ifa_ifa); // "if (a) { if (a) .." => "if (a) { if (1) .."
TEST_CASE(sizeof1);
TEST_CASE(sizeof2); TEST_CASE(sizeof2);
TEST_CASE(sizeof3); TEST_CASE(sizeof3);
TEST_CASE(sizeof4); TEST_CASE(sizeof4);
@ -88,7 +87,6 @@ private:
TEST_CASE(sizeof21); // #2232 - sizeof...(Args) TEST_CASE(sizeof21); // #2232 - sizeof...(Args)
TEST_CASE(sizeof22); // #2599 TEST_CASE(sizeof22); // #2599
TEST_CASE(sizeof23); // #2604 TEST_CASE(sizeof23); // #2604
TEST_CASE(sizeof24); // struct variable
TEST_CASE(sizeofsizeof); TEST_CASE(sizeofsizeof);
TEST_CASE(casting); TEST_CASE(casting);
@ -973,10 +971,6 @@ private:
return tokenizer.sizeOfType(&tok1); return tokenizer.sizeOfType(&tok1);
} }
void sizeof1() {
ASSERT_EQUALS("struct ABC * abc ; abc = malloc ( 100 ) ;", tok("struct ABC *abc = malloc(sizeof(*abc));"));
ASSERT_EQUALS("struct ABC * abc ; abc = malloc ( 100 ) ;", tok("struct ABC *abc = malloc(sizeof *abc );"));
}
void sizeof2() { void sizeof2() {
@ -1505,7 +1499,7 @@ private:
ASSERT_EQUALS("struct struct_a { char a [ 20 ] ; } ; " ASSERT_EQUALS("struct struct_a { char a [ 20 ] ; } ; "
"void foo ( ) {" "void foo ( ) {"
" struct_a a ;" " struct_a a ;"
" append ( 100 ) . append ( ) ; " " append ( sizeof ( a ) ) . append ( ) ; "
"}", tok(code)); "}", tok(code));
} }
@ -1544,11 +1538,6 @@ private:
tok(code); tok(code);
} }
void sizeof24() {
const char code[] = "; struct AB ab; sizeof(ab)";
ASSERT_EQUALS("; struct AB ab ; 100", tok(code));
}
void sizeofsizeof() { void sizeofsizeof() {
// ticket #1682 // ticket #1682