Fixed #2956 (False negative: read array and then immediately check the index 'str[i] && i<sizeof(str)')
This commit is contained in:
parent
e86abfdc5f
commit
ceb763f57a
|
@ -2179,3 +2179,35 @@ void CheckBufferOverrun::executionPaths()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
void CheckBufferOverrun::arrayIndexThenCheck()
|
||||||
|
{
|
||||||
|
if (!_settings->_checkCodingStyle)
|
||||||
|
return;
|
||||||
|
for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next())
|
||||||
|
{
|
||||||
|
if (Token::Match(tok, "%var% [ %var% ]"))
|
||||||
|
{
|
||||||
|
const std::string arrayName(tok->str());
|
||||||
|
const std::string indexName(tok->strAt(2));
|
||||||
|
|
||||||
|
// skip array index..
|
||||||
|
tok = tok->tokAt(4);
|
||||||
|
while (tok->str() == "[")
|
||||||
|
tok = tok->link()->next();
|
||||||
|
|
||||||
|
// skip comparison
|
||||||
|
if (Token::Match(tok, "==|!=|<|<=|>|>= %any% &&"))
|
||||||
|
tok = tok->tokAt(2);
|
||||||
|
|
||||||
|
// check if array index is ok
|
||||||
|
if (Token::Match(tok, ("&& " + indexName + " <|<=").c_str()))
|
||||||
|
arrayIndexThenCheckError(tok, indexName);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void CheckBufferOverrun::arrayIndexThenCheckError(const Token *tok, const std::string &indexName)
|
||||||
|
{
|
||||||
|
reportError(tok, Severity::style, "arrayIndexThenCheck", "array index " + indexName + " is used before bounds check");
|
||||||
|
}
|
||||||
|
|
|
@ -64,6 +64,7 @@ public:
|
||||||
CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger);
|
CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger);
|
||||||
checkBufferOverrun.bufferOverrun();
|
checkBufferOverrun.bufferOverrun();
|
||||||
checkBufferOverrun.negativeIndex();
|
checkBufferOverrun.negativeIndex();
|
||||||
|
checkBufferOverrun.arrayIndexThenCheck();
|
||||||
|
|
||||||
/** ExecutionPath checking.. */
|
/** ExecutionPath checking.. */
|
||||||
checkBufferOverrun.executionPaths();
|
checkBufferOverrun.executionPaths();
|
||||||
|
@ -72,6 +73,9 @@ public:
|
||||||
/** @brief %Check for buffer overruns */
|
/** @brief %Check for buffer overruns */
|
||||||
void bufferOverrun();
|
void bufferOverrun();
|
||||||
|
|
||||||
|
/** @brief Using array index before bounds check */
|
||||||
|
void arrayIndexThenCheck();
|
||||||
|
|
||||||
/** @brief %Check for buffer overruns by inspecting execution paths */
|
/** @brief %Check for buffer overruns by inspecting execution paths */
|
||||||
void executionPaths();
|
void executionPaths();
|
||||||
|
|
||||||
|
@ -216,6 +220,7 @@ public:
|
||||||
void negativeIndexError(const Token *tok, MathLib::bigint index);
|
void negativeIndexError(const Token *tok, MathLib::bigint index);
|
||||||
void cmdLineArgsError(const Token *tok);
|
void cmdLineArgsError(const Token *tok);
|
||||||
void pointerOutOfBounds(const Token *tok, const std::string &object); // UB when result of calculation is out of bounds
|
void pointerOutOfBounds(const Token *tok, const std::string &object); // UB when result of calculation is out of bounds
|
||||||
|
void arrayIndexThenCheckError(const Token *tok, const std::string &indexName);
|
||||||
|
|
||||||
void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings)
|
void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings)
|
||||||
{
|
{
|
||||||
|
@ -229,6 +234,7 @@ public:
|
||||||
c.negativeIndexError(0, -1);
|
c.negativeIndexError(0, -1);
|
||||||
c.cmdLineArgsError(0);
|
c.cmdLineArgsError(0);
|
||||||
c.pointerOutOfBounds(0, "array");
|
c.pointerOutOfBounds(0, "array");
|
||||||
|
c.arrayIndexThenCheckError(0, "index");
|
||||||
}
|
}
|
||||||
|
|
||||||
std::string myName() const
|
std::string myName() const
|
||||||
|
|
|
@ -60,6 +60,7 @@ private:
|
||||||
CheckBufferOverrun checkBufferOverrun(&tokenizer, &settings, this);
|
CheckBufferOverrun checkBufferOverrun(&tokenizer, &settings, this);
|
||||||
checkBufferOverrun.bufferOverrun();
|
checkBufferOverrun.bufferOverrun();
|
||||||
checkBufferOverrun.negativeIndex();
|
checkBufferOverrun.negativeIndex();
|
||||||
|
checkBufferOverrun.arrayIndexThenCheck();
|
||||||
}
|
}
|
||||||
|
|
||||||
void run()
|
void run()
|
||||||
|
@ -217,6 +218,9 @@ private:
|
||||||
TEST_CASE(getErrorMessages);
|
TEST_CASE(getErrorMessages);
|
||||||
|
|
||||||
TEST_CASE(unknownMacroNoDecl); // #2638 - not variable declaration: 'AAA a[0] = 0;'
|
TEST_CASE(unknownMacroNoDecl); // #2638 - not variable declaration: 'AAA a[0] = 0;'
|
||||||
|
|
||||||
|
// Access array and then check if the used index is within bounds
|
||||||
|
TEST_CASE(arrayIndexThenCheck);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -3015,6 +3019,21 @@ private:
|
||||||
"}");
|
"}");
|
||||||
ASSERT_EQUALS("", errout.str());
|
ASSERT_EQUALS("", errout.str());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void arrayIndexThenCheck()
|
||||||
|
{
|
||||||
|
check("void f(const char s[]) {\n"
|
||||||
|
" if (s[i] == 'x' && i < y) {\n"
|
||||||
|
" }"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("[test.cpp:2]: (style) array index i is used before bounds check\n", errout.str());
|
||||||
|
|
||||||
|
check("void f(const char s[]) {\n"
|
||||||
|
" for (i = 0; s[i] == 'x' && i < y; ++i) {\n"
|
||||||
|
" }"
|
||||||
|
"}");
|
||||||
|
ASSERT_EQUALS("[test.cpp:2]: (style) array index i is used before bounds check\n", errout.str());
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
REGISTER_TEST(TestBufferOverrun)
|
REGISTER_TEST(TestBufferOverrun)
|
||||||
|
|
Loading…
Reference in New Issue