walkero
/
cppcheck
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

CheckBufferOverrun: Better CTU checking when variable address is passed

This commit is contained in:
Daniel Marjamäki 2019-03-23 15:57:17 +01:00
parent d27a4ad82e
commit d6b806c592
2 changed files with 30 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/ctu.cpp
View File

@ -345,6 +345,20 @@ CTU::FileInfo *CTU::getFileInfo(const Tokenizer *tokenizer)
functionCall.warning = false; functionCall.warning = false;
fileInfo->functionCalls.push_back(functionCall); fileInfo->functionCalls.push_back(functionCall);
} }
// &var => buffer
if (argtok->isUnaryOp("&") && argtok->astOperand1()->variable() && argtok->astOperand1()->valueType() && !argtok->astOperand1()->variable()->isArray()) {
FileInfo::FunctionCall functionCall;
functionCall.callValueType = ValueFlow::Value::ValueType::BUFFER_SIZE;
functionCall.callId = getFunctionId(tokenizer, tok->astOperand1()->function());
functionCall.callFunctionName = tok->astOperand1()->expressionString();
functionCall.location.fileName = tokenizer->list.file(tok);
functionCall.location.linenr = tok->linenr();
functionCall.callArgNr = argnr + 1;
functionCall.callArgumentExpression = argtok->expressionString();
functionCall.callArgValue = argtok->astOperand1()->valueType()->typeSize(*tokenizer->getSettings());
functionCall.warning = false;
fileInfo->functionCalls.push_back(functionCall);
}
// pointer to uninitialized data.. // pointer to uninitialized data..
if (!argtok->isUnaryOp("&")) if (!argtok->isUnaryOp("&"))
continue; continue;

20
test/testbufferoverrun.cpp
View File

@ -246,8 +246,9 @@ private:
// TODO TEST_CASE(pointerAddition1); // TODO TEST_CASE(pointerAddition1);
TEST_CASE(ctu_1); TEST_CASE(ctu_malloc);
TEST_CASE(ctu_2); TEST_CASE(ctu_array);
TEST_CASE(ctu_variable);
} }
@ -4141,7 +4142,7 @@ private:
delete ctu; delete ctu;
} }
void ctu_1() { void ctu_malloc() {
ctu("void dostuff(char *p) {\n" ctu("void dostuff(char *p) {\n"
" p[-3] = 0;\n" " p[-3] = 0;\n"
"}\n" "}\n"
@ -4163,7 +4164,7 @@ private:
ASSERT_EQUALS("[test.cpp:6] -> [test.cpp:7] -> [test.cpp:2]: (error) Buffer access out of bounds; 'p' buffer size is 4 and it is accessed at offset 4.\n", errout.str()); ASSERT_EQUALS("[test.cpp:6] -> [test.cpp:7] -> [test.cpp:2]: (error) Buffer access out of bounds; 'p' buffer size is 4 and it is accessed at offset 4.\n", errout.str());
} }
void ctu_2() { void ctu_array() {
ctu("void dostuff(char *p) {\n" ctu("void dostuff(char *p) {\n"
" p[10] = 0;\n" " p[10] = 0;\n"
"}\n" "}\n"
@ -4173,6 +4174,17 @@ private:
"}"); "}");
ASSERT_EQUALS("[test.cpp:6] -> [test.cpp:2]: (error) Buffer access out of bounds; 'p' buffer size is 4 and it is accessed at offset 10.\n", errout.str()); ASSERT_EQUALS("[test.cpp:6] -> [test.cpp:2]: (error) Buffer access out of bounds; 'p' buffer size is 4 and it is accessed at offset 10.\n", errout.str());
} }
void ctu_variable() {
ctu("void dostuff(int *p) {\n"
" p[10] = 0;\n"
"}\n"
"int main() {\n"
" int x = 4;\n"
" dostuff(&x);\n"
"}");
ASSERT_EQUALS("[test.cpp:6] -> [test.cpp:2]: (error) Buffer access out of bounds; 'p' buffer size is 4 and it is accessed at offset 40.\n", errout.str());
}
}; };
REGISTER_TEST(TestBufferOverrun) REGISTER_TEST(TestBufferOverrun)