fix #3124 (FP: Buffer access out-of-bounds when memset two dimension array (a[5][6]))
This commit is contained in:
parent
3f364a3b2f
commit
b349d36c50
|
@ -991,14 +991,10 @@ void CheckBufferOverrun::checkScope(const Token *tok, const std::vector<std::str
|
||||||
// memset, memcmp, memcpy, strncpy, fgets..
|
// memset, memcmp, memcpy, strncpy, fgets..
|
||||||
if (varid == 0 && size > 0)
|
if (varid == 0 && size > 0)
|
||||||
{
|
{
|
||||||
ArrayInfo arrayInfo1(0U,
|
|
||||||
varnames,
|
|
||||||
(unsigned int)(total_size / size),
|
|
||||||
(unsigned int)size);
|
|
||||||
if (Token::Match(tok, ("%var% ( " + varnames + " ,").c_str()))
|
if (Token::Match(tok, ("%var% ( " + varnames + " ,").c_str()))
|
||||||
checkFunctionParameter(*tok, 1, arrayInfo1);
|
checkFunctionParameter(*tok, 1, arrayInfo);
|
||||||
if (Token::Match(tok, ("%var% ( %var% , " + varnames + " ,").c_str()))
|
if (Token::Match(tok, ("%var% ( %var% , " + varnames + " ,").c_str()))
|
||||||
checkFunctionParameter(*tok, 2, arrayInfo1);
|
checkFunctionParameter(*tok, 2, arrayInfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Loop..
|
// Loop..
|
||||||
|
|
|
@ -149,6 +149,7 @@ private:
|
||||||
TEST_CASE(buffer_overrun_19); // #2597 - class member with unknown type
|
TEST_CASE(buffer_overrun_19); // #2597 - class member with unknown type
|
||||||
TEST_CASE(buffer_overrun_20); // #2986 (segmentation fault)
|
TEST_CASE(buffer_overrun_20); // #2986 (segmentation fault)
|
||||||
TEST_CASE(buffer_overrun_21);
|
TEST_CASE(buffer_overrun_21);
|
||||||
|
TEST_CASE(buffer_overrun_22); // #3124
|
||||||
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
|
TEST_CASE(buffer_overrun_bailoutIfSwitch); // ticket #2378 : bailoutIfSwitch
|
||||||
TEST_CASE(possible_buffer_overrun_1); // #3035
|
TEST_CASE(possible_buffer_overrun_1); // #3035
|
||||||
|
|
||||||
|
@ -1170,7 +1171,7 @@ private:
|
||||||
" struct s1 obj;\n"
|
" struct s1 obj;\n"
|
||||||
" x(obj.delay, 123);\n"
|
" x(obj.delay, 123);\n"
|
||||||
"}\n");
|
"}\n");
|
||||||
ASSERT_EQUALS("[test.cpp:11] -> [test.cpp:6]: (error) Array 'obj . delay[3]' index 4 out of bounds\n", errout.str());
|
ASSERT_EQUALS("[test.cpp:11] -> [test.cpp:6]: (error) Array 'obj.delay[3]' index 4 out of bounds\n", errout.str());
|
||||||
|
|
||||||
check("struct s1 {\n"
|
check("struct s1 {\n"
|
||||||
" float a[0];\n"
|
" float a[0];\n"
|
||||||
|
@ -2260,6 +2261,31 @@ private:
|
||||||
ASSERT_EQUALS("[test.cpp:6]: (error) Buffer access out-of-bounds: dst\n", errout.str());
|
ASSERT_EQUALS("[test.cpp:6]: (error) Buffer access out-of-bounds: dst\n", errout.str());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void buffer_overrun_22() // ticket #3124
|
||||||
|
{
|
||||||
|
check("class A {\n"
|
||||||
|
"public:\n"
|
||||||
|
" char b[5][6];\n"
|
||||||
|
"};\n"
|
||||||
|
"int main() {\n"
|
||||||
|
" A a;\n"
|
||||||
|
" memset(a.b, 0, 5 * 6);\n"
|
||||||
|
"}\n");
|
||||||
|
|
||||||
|
ASSERT_EQUALS("", errout.str());
|
||||||
|
|
||||||
|
check("class A {\n"
|
||||||
|
"public:\n"
|
||||||
|
" char b[5][6];\n"
|
||||||
|
"};\n"
|
||||||
|
"int main() {\n"
|
||||||
|
" A a;\n"
|
||||||
|
" memset(a.b, 0, 6 * 6);\n"
|
||||||
|
"}\n");
|
||||||
|
|
||||||
|
ASSERT_EQUALS("[test.cpp:7]: (error) Buffer access out-of-bounds: a.b\n", errout.str());
|
||||||
|
}
|
||||||
|
|
||||||
void buffer_overrun_bailoutIfSwitch()
|
void buffer_overrun_bailoutIfSwitch()
|
||||||
{
|
{
|
||||||
// No false positive
|
// No false positive
|
||||||
|
|
Loading…
Reference in New Issue