Buffer Overrun: Fixed false positive when variable is reassigned in called function

2010-07-05 22:19:27 +02:00 · 2010-07-05 22:19:27 +02:00 · b02fc037ed
parent ae3557fa92
commit b02fc037ed
2 changed files with 20 additions and 0 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -1858,6 +1858,13 @@ private:
            return &tok;
        }

+        // Assign variable (unknown value = 0)..
+        if (Token::Match(tok.tokAt(-2), "(|, & %var% ,|)"))
+        {
+            assign_value(checks, tok.varId(), "0");
+            return &tok;
+        }
+
        // Array index..
        if (Token::Match(&tok, "%var% [ %var% ]"))
        {
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -172,6 +172,7 @@ private:
        TEST_CASE(crash);	// Ticket #1587 - crash

        TEST_CASE(executionPaths1);
+        TEST_CASE(executionPaths2);

        TEST_CASE(cmdLineArgs1);
    }
@ -2323,6 +2324,18 @@ private:
        ASSERT_EQUALS("[test.cpp:7]: (error) Array 'buf[10][5]' index 1000 out of bounds\n", errout.str());
    }

+    void executionPaths2()
+    {
+        epcheck("void foo()\n"
+                "{\n"
+                "    char a[64];\n"
+                "    int sz = sizeof(a);\n"
+                "    bar(&sz);\n"
+                "    a[sz] = 0;\n"
+                "}\n");
+        ASSERT_EQUALS("", errout.str());
+    }
+
    void cmdLineArgs1()
    {
        check("int main(int argc, char* argv[])\n"