Fix #575 (Array index out of bounds check: get address of one-past-the-end array is legal)

http://sourceforge.net/apps/trac/cppcheck/ticket/575
2009-10-06 14:50:27 +03:00 · 2009-10-06 14:50:27 +03:00 · d598bed1c6
parent c55140d4cd
commit d598bed1c6
2 changed files with 24 additions and 1 deletions
--- a/src/checkbufferoverrun.cpp
+++ b/src/checkbufferoverrun.cpp
@ -158,7 +158,10 @@ void CheckBufferOverrun::checkScope(const Token *tok, const char *varname[], con
                const char *num = tok->strAt(3);
                if (std::strtol(num, NULL, 10) >= size)
                {
-                    arrayIndexOutOfBounds(tok->next());
+                    if (std::strtol(num, NULL, 10) > size || !Token::Match(tok->previous(), "& ("))
+                    {
+                        arrayIndexOutOfBounds(tok->next());
+                    }
                }
            }
        }
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -88,6 +88,7 @@ private:
        TEST_CASE(array_index_16);
        TEST_CASE(array_index_17);
        TEST_CASE(array_index_18);
+        TEST_CASE(array_index_19);

        TEST_CASE(buffer_overrun_1);
        TEST_CASE(buffer_overrun_2);
@ -573,6 +574,25 @@ private:
        TODO_ASSERT_EQUALS("[test.cpp:6]: (possible error) Buffer overrun\n", errout.str());
    }

+    void array_index_19()
+    {
+        // "One Past the End" is legal, as long as pointer is not dereferenced.
+        check("void f()\n"
+              "{\n"
+              "  char a[2];\n"
+              "  char *end = &(a[2]);\n"
+              "}\n");
+        ASSERT_EQUALS("", errout.str());
+
+        // Getting more than one past the end is not legal
+        check("void f()\n"
+              "{\n"
+              "  char a[2];\n"
+              "  char *end = &(a[3]);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (possible error) Array index out of bounds\n", errout.str());
+    }
+
    void buffer_overrun_1()
    {
        check("void f()\n"