fixed ticket 997, now fread and fwrite checked for bufferoverrun

2010-04-06 13:55:03 +02:00 · 2010-04-06 13:55:03 +02:00 · c4d1d47f6b
parent 928163b0cf
commit c4d1d47f6b
2 changed files with 48 additions and 0 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -608,6 +608,24 @@ void CheckBufferOverrun::checkScope(const Token *tok, const std::vector<std::str
            }
        }

+        // fread|frwite
+        // size_t fread ( void * ptr, size_t size, size_t count, FILE * stream );
+        // ptr    -> Pointer to a block of memory with a minimum size of (size*count) bytes.
+        // size   -> Size in bytes of each element to be read.
+        // count  -> Number of elements, each one with a size of size bytes.
+        // stream -> Pointer to a FILE object that specifies an input stream. 
+        if (varid > 0 &&
+            Token::Match(tok, "fread|fwrite ( %varid% , %num% , %num% , %any% )", varid) &&
+            MathLib::isInt(tok->strAt(6)))
+        {
+            long len = MathLib::toLongNumber(tok->strAt(4))*MathLib::toLongNumber(tok->strAt(6));
+            if (len < 0 || len > total_size)
+            {
+                bufferOverrun(tok);
+                continue;
+            }
+        }
+
        // Writing data into array..
        if (varid > 0 &&
            Token::Match(tok, "fgets ( %varid% , %num% , %any% )", varid) &&
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -1070,6 +1070,36 @@ private:
              "}\n");
        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());

+        // fread
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3];\n"
+	          "fread(str,sizeof(char),4,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
+
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3*sizeof(char)];\n"
+	          "fread(str,sizeof(char),3,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
+        // fwrite
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3];\n"
+	          "fwrite(str,sizeof(char),4,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
+
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3*sizeof(char)];\n"
+	          "fwrite(str,sizeof(char),3,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
    }