Fix FN buffer overrun with array of pointers (#3582)

This commit is contained in:
chrchr-github 2021-11-27 12:15:36 +01:00 committed by GitHub
parent 1e327dfbd3
commit cea649761c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 1 deletions

View File

@ -216,7 +216,7 @@ static bool getDimensionsEtc(const Token * const arrayToken, const Settings *set
Dimension dim;
dim.known = value->isKnown();
dim.tok = nullptr;
const int typeSize = array->valueType()->typeSize(*settings);
const int typeSize = array->valueType()->typeSize(*settings, array->valueType()->pointer > 1);
if (typeSize == 0)
return false;
dim.num = value->intvalue / typeSize;

View File

@ -3449,6 +3449,20 @@ private:
" cache[i][0xFFFF] = 0;\n"
"}");
ASSERT_EQUALS("", errout.str());
check("void f() {\n"
" int **a = malloc(2 * sizeof(int*));\n"
" for (int i = 0; i < 3; i++)\n"
" a[i] = NULL;\n"
"}");
ASSERT_EQUALS("[test.cpp:3] -> [test.cpp:4]: (error) Array 'a[2]' accessed at index 2, which is out of bounds.\n", errout.str());
check("void f() {\n"
" int **a = new int*[2];\n"
" for (int i = 0; i < 3; i++)\n"
" a[i] = NULL;\n"
"}");
TODO_ASSERT_EQUALS("[test.cpp:3] -> [test.cpp:4]: (error) Array 'a[2]' accessed at index 2, which is out of bounds.\n", "", errout.str());
}
// statically allocated buffer