#7255 segmentation fault (invalid code) in CheckMemoryLeakInFunction::getcode

2016-01-03 20:53:03 +01:00 · 2016-01-03 20:53:03 +01:00 · d6fd4705cf
parent 7e585d37bc
commit d6fd4705cf
2 changed files with 23 additions and 14 deletions
--- a/lib/checkmemoryleak.cpp
+++ b/lib/checkmemoryleak.cpp
@ -487,26 +487,29 @@ bool CheckMemoryLeakInFunction::test_white_list(const std::string &funcname, con
    return ((call_func_white_list.find(funcname)!=call_func_white_list.end()) || (settings->library.leakignore.find(funcname) != settings->library.leakignore.end()) || (cpp && funcname == "delete"));
 }

+namespace {
+    const std::set<std::string> call_func_keywords = make_container < std::set<std::string> > ()
+            << "asprintf"
+            << "delete"
+            << "fclose"
+            << "for"
+            << "free"
+            << "if"
+            << "realloc"
+            << "return"
+            << "switch"
+            << "while"
+            << "sizeof";
+}

 const char * CheckMemoryLeakInFunction::call_func(const Token *tok, std::list<const Token *> callstack, const unsigned int varid, AllocType &alloctype, AllocType &dealloctype, bool &allocpar, unsigned int sz)
 {
    if (test_white_list(tok->str(), _settings, tokenizer->isCPP())) {
-        if (tok->str() == "asprintf" ||
-            tok->str() == "delete" ||
-            tok->str() == "fclose" ||
-            tok->str() == "for" ||
-            tok->str() == "free" ||
-            tok->str() == "if" ||
-            tok->str() == "realloc" ||
-            tok->str() == "return" ||
-            tok->str() == "switch" ||
-            tok->str() == "while" ||
-            tok->str() == "sizeof") {
+        if (call_func_keywords.find(tok->str())!=call_func_keywords.end())
            return 0;
-        }

        // is the varid a parameter?
-        for (const Token *tok2 = tok->tokAt(2); tok2 != tok->linkAt(1); tok2 = tok2->next()) {
+        for (const Token *tok2 = tok->tokAt(2); tok2 && tok2 != tok->linkAt(1); tok2 = tok2->next()) {
            if (tok2->str() == "(") {
                tok2 = tok2->nextArgument();
                if (!tok2)
@ -628,7 +631,7 @@ const char * CheckMemoryLeakInFunction::call_func(const Token *tok, std::list<co
        }
        if (Token::Match(tok, "& %varid% [,()]", varid)) {
            const Function *func = functok->function();
-            if (func == 0)
+            if (func == nullptr)
                continue;
            AllocType a;
            const char *ret = functionArgAlloc(func, par, a);
--- a/test/testgarbage.cpp
+++ b/test/testgarbage.cpp
@ -218,6 +218,7 @@ private:
        TEST_CASE(garbageCode167); // #7237
        TEST_CASE(garbageCode168); // #7246
        TEST_CASE(garbageCode169); // #6731
+        TEST_CASE(garbageCode170);
        TEST_CASE(garbageValueFlow);
        TEST_CASE(garbageSymbolDatabase);
        TEST_CASE(garbageAST);
@ -1436,6 +1437,11 @@ private:
                               "set case break ; default: ( ) }", false), InternalError);
    }

+    void garbageCode170() {
+        // 7255
+        checkCode("d i(){{f*s=typeid(()0,)}}", false);
+    }
+
 };

 REGISTER_TEST(TestGarbage)