From c4d1d47f6bd29f8b35a6fdf831d978c12ee032dc Mon Sep 17 00:00:00 2001
From: Martin Ettl <martin@martin.(none)>
Date: Tue, 6 Apr 2010 13:55:03 +0200
Subject: [PATCH] fixed ticket 997, now fread and fwrite checked for
 bufferoverrun

---
 lib/checkbufferoverrun.cpp | 18 ++++++++++++++++++
 test/testbufferoverrun.cpp | 30 ++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
index 9026c29fb..522c4a4fa 100644
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@@ -608,6 +608,24 @@ void CheckBufferOverrun::checkScope(const Token *tok, const std::vector<std::str
             }
         }
 
+        // fread|frwite
+        // size_t fread ( void * ptr, size_t size, size_t count, FILE * stream );
+        // ptr    -> Pointer to a block of memory with a minimum size of (size*count) bytes.
+        // size   -> Size in bytes of each element to be read.
+        // count  -> Number of elements, each one with a size of size bytes.
+        // stream -> Pointer to a FILE object that specifies an input stream. 
+        if (varid > 0 &&
+            Token::Match(tok, "fread|fwrite ( %varid% , %num% , %num% , %any% )", varid) &&
+            MathLib::isInt(tok->strAt(6)))
+        {
+            long len = MathLib::toLongNumber(tok->strAt(4))*MathLib::toLongNumber(tok->strAt(6));
+            if (len < 0 || len > total_size)
+            {
+                bufferOverrun(tok);
+                continue;
+            }
+        }
+
         // Writing data into array..
         if (varid > 0 &&
             Token::Match(tok, "fgets ( %varid% , %num% , %any% )", varid) &&
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
index 5cacd6b0e..5a344c9cc 100644
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@@ -1070,6 +1070,36 @@ private:
               "}\n");
         ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
 
+        // fread
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3];\n"
+	          "fread(str,sizeof(char),4,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
+
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3*sizeof(char)];\n"
+	          "fread(str,sizeof(char),3,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
+        // fwrite
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3];\n"
+	          "fwrite(str,sizeof(char),4,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer access out-of-bounds\n", errout.str());
+
+        check("void f(FILE* fd)\n"
+              "{\n"
+	          "char str[3*sizeof(char)];\n"
+	          "fwrite(str,sizeof(char),3,fd);\n" 
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
     }