walkero
/
cppcheck
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Bug hunting: Fixed test case CVE-2019-19334

This commit is contained in:
Daniel Marjamäki 2020-12-05 13:51:12 +01:00
parent cb7eee2aa9
commit bdfac5db09
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/bughuntingchecks.cpp
View File

@ -114,8 +114,12 @@ static void bufferOverflow(const Token *tok, const ExprEngine::Value &value, Exp
} }
std::shared_ptr<ExprEngine::ArrayValue> arrayValue = std::dynamic_pointer_cast<ExprEngine::ArrayValue>(argValue); std::shared_ptr<ExprEngine::ArrayValue> arrayValue = std::dynamic_pointer_cast<ExprEngine::ArrayValue>(argValue);
if (!arrayValue || arrayValue->size.size() != 1) // TODO : multidimensional array if (!arrayValue || arrayValue->size.size() != 1) {
continue; // TODO: implement this properly.
overflowArgument = argnr;
bailout = true;
break;
}
const Library::ArgumentChecks &checks = argNrChecks.second; const Library::ArgumentChecks &checks = argNrChecks.second;
for (const Library::ArgumentChecks::MinSize &minsize: checks.minsizes) { for (const Library::ArgumentChecks::MinSize &minsize: checks.minsizes) {
@ -131,6 +135,12 @@ static void bufferOverflow(const Token *tok, const ExprEngine::Value &value, Exp
break; break;
} }
} else if (minsize.type == Library::ArgumentChecks::MinSize::STRLEN && minsize.arg > 0 && minsize.arg <= arguments.size()) { } else if (minsize.type == Library::ArgumentChecks::MinSize::STRLEN && minsize.arg > 0 && minsize.arg <= arguments.size()) {
if (func->formatstr) {
// TODO: implement this properly. check if minsize refers to a format string and check max length of that..
overflowArgument = argnr;
bailout = true;
break;
}
if (Token::Match(arguments[minsize.arg - 1], "%str%")) { if (Token::Match(arguments[minsize.arg - 1], "%str%")) {
const Token * const str = arguments[minsize.arg - 1]; const Token * const str = arguments[minsize.arg - 1];
if (arrayValue->size[0]->isLessThan(dataBase, Token::getStrLength(str))) { if (arrayValue->size[0]->isLessThan(dataBase, Token::getStrLength(str))) {