CheckBufferOverrun: Improved checking of arrays declared like this: "type * var [ num ]"

This commit is contained in:
Daniel Marjamäki 2008-03-27 05:41:21 +00:00
parent 021b86afa2
commit bf6926232b
2 changed files with 46 additions and 8 deletions

View File

@ -461,11 +461,14 @@ static void CheckBufferOverrun_LocalVariable()
static void CheckBufferOverrun_StructVariable() static void CheckBufferOverrun_StructVariable()
{ {
const char *declstruct_pattern[] = {"struct","","{",0}; const char *declstruct_pattern[] = {"","","{",0};
for ( const TOKEN * tok = findtoken( tokens, declstruct_pattern ); for ( const TOKEN * tok = findtoken( tokens, declstruct_pattern );
tok; tok;
tok = findtoken( tok->next, declstruct_pattern ) ) tok = findtoken( tok->next, declstruct_pattern ) )
{ {
if ( strcmp(tok->str, "struct") && strcmp(tok->str, "class") )
continue;
const char *structname = tok->next->str; const char *structname = tok->next->str;
if ( ! IsName( structname ) ) if ( ! IsName( structname ) )
@ -480,11 +483,14 @@ static void CheckBufferOverrun_StructVariable()
if ( strchr( ";{,(", tok2->str[0] ) ) if ( strchr( ";{,(", tok2->str[0] ) )
{ {
// Declare array.. // Declare array..
if ( match(tok2->next, "var var [ num ] ;") ) if ( match(tok2->next, "type var [ num ] ;") ||
match(tok2->next, "type * var [ num ] ;") )
{ {
const char *varname[3] = {0,0,0}; const char *varname[3] = {0,0,0};
varname[1] = getstr(tok2, 2); int ivar = IsName(getstr(tok2, 2)) ? 2 : 3;
int arrsize = atoi(getstr(tok2, 4));
varname[1] = getstr(tok2, ivar);
int arrsize = atoi(getstr(tok2, ivar+2));
int total_size = arrsize * SizeOfType(tok2->next->str); int total_size = arrsize * SizeOfType(tok2->next->str);
if (total_size == 0) if (total_size == 0)
continue; continue;

View File

@ -418,7 +418,20 @@ static void buffer_overrun()
const char test11[] = "static void memclr( char *data )\n" const char test11[] = "struct ABC\n"
"{\n"
" char str[5];\n"
"};\n"
"\n"
"static void f(ABC *abc)\n"
"{\n"
" strcpy( abc->str, \"abcdef\" );\n"
"}\n";
check( CheckBufferOverrun, __LINE__, test11, "[test.cpp:8]: Buffer overrun\n" );
const char test12[] = "static void memclr( char *data )\n"
"{\n" "{\n"
" data[10] = 0;\n" " data[10] = 0;\n"
"}\n" "}\n"
@ -428,10 +441,10 @@ static void buffer_overrun()
" char str[5];\n" " char str[5];\n"
" memclr( str ); // ERROR\n" " memclr( str ); // ERROR\n"
"}\n"; "}\n";
check( CheckBufferOverrun, __LINE__, test11, "[test.cpp:9] -> [test.cpp:3]: Array index out of bounds\n" ); check( CheckBufferOverrun, __LINE__, test12, "[test.cpp:9] -> [test.cpp:3]: Array index out of bounds\n" );
const char test12[] = "struct ABC\n" const char test13[] = "struct ABC\n"
"{\n" "{\n"
" char str[10];\n" " char str[10];\n"
"};\n" "};\n"
@ -445,7 +458,26 @@ static void buffer_overrun()
"{\n" "{\n"
" memclr(abc->str);\n" " memclr(abc->str);\n"
"}\n"; "}\n";
check( CheckBufferOverrun, __LINE__, test12, "[test.cpp:13] -> [test.cpp:8]: Array index out of bounds\n" ); check( CheckBufferOverrun, __LINE__, test13, "[test.cpp:13] -> [test.cpp:8]: Array index out of bounds\n" );
const char test14[] = "class ABC\n"
"{\n"
"public:\n"
" ABC();\n"
" char *str[10];\n"
" struct ABC *next;"
"};\n"
"\n"
"static void f()\n"
"{\n"
" for ( ABC *abc = abc1; abc; abc = abc->next )\n"
" {\n"
" abc->str[10] = 0;\n"
" }\n"
"}\n";
check( CheckBufferOverrun, __LINE__, test14, "[test.cpp:12]: Array index out of bounds\n" );