From bdfac5db096655bb55b0afe542d837423594c11e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Marjam=C3=A4ki?= Date: Sat, 5 Dec 2020 13:51:12 +0100 Subject: [PATCH] Bug hunting: Fixed test case CVE-2019-19334 --- lib/bughuntingchecks.cpp | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/bughuntingchecks.cpp b/lib/bughuntingchecks.cpp index 0f9ca984e..09464be39 100644 --- a/lib/bughuntingchecks.cpp +++ b/lib/bughuntingchecks.cpp @@ -114,8 +114,12 @@ static void bufferOverflow(const Token *tok, const ExprEngine::Value &value, Exp } std::shared_ptr arrayValue = std::dynamic_pointer_cast(argValue); - if (!arrayValue || arrayValue->size.size() != 1) // TODO : multidimensional array - continue; + if (!arrayValue || arrayValue->size.size() != 1) { + // TODO: implement this properly. + overflowArgument = argnr; + bailout = true; + break; + } const Library::ArgumentChecks &checks = argNrChecks.second; for (const Library::ArgumentChecks::MinSize &minsize: checks.minsizes) { @@ -131,6 +135,12 @@ static void bufferOverflow(const Token *tok, const ExprEngine::Value &value, Exp break; } } else if (minsize.type == Library::ArgumentChecks::MinSize::STRLEN && minsize.arg > 0 && minsize.arg <= arguments.size()) { + if (func->formatstr) { + // TODO: implement this properly. check if minsize refers to a format string and check max length of that.. + overflowArgument = argnr; + bailout = true; + break; + } if (Token::Match(arguments[minsize.arg - 1], "%str%")) { const Token * const str = arguments[minsize.arg - 1]; if (arrayValue->size[0]->isLessThan(dataBase, Token::getStrLength(str))) {