From df704361f6851ea9f962344ef062f7b5994bdaa0 Mon Sep 17 00:00:00 2001 From: chrchr-github <78114321+chrchr-github@users.noreply.github.com> Date: Mon, 29 Aug 2022 12:24:44 +0200 Subject: [PATCH] Fix FN with buffer size 1 (#4410) --- lib/checkbufferoverrun.cpp | 4 ++-- test/testbufferoverrun.cpp | 20 ++++++++++++++------ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp index f939312e3..f929bdbeb 100644 --- a/lib/checkbufferoverrun.cpp +++ b/lib/checkbufferoverrun.cpp @@ -649,7 +649,7 @@ void CheckBufferOverrun::bufferOverflow() if (bufferSize.intvalue <= 0) continue; // buffer size == 1 => do not warn for dynamic memory - if (bufferSize.intvalue == 1) { + if (bufferSize.intvalue == 1 && args[argnr]->str() == ".") { // TODO: check if parent was allocated dynamically const Token *tok2 = argtok; while (Token::simpleMatch(tok2->astParent(), ".")) tok2 = tok2->astParent(); @@ -667,7 +667,7 @@ void CheckBufferOverrun::bufferOverflow() return checkBufferSize(tok, minsize, args, bufferSize.intvalue, mSettings, mTokenizer); }); if (error) - bufferOverflowError(args[argnr], &bufferSize, (bufferSize.intvalue == 1) ? Certainty::inconclusive : Certainty::normal); + bufferOverflowError(args[argnr], &bufferSize, Certainty::normal); } } } diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp index 3f7f06236..5d9e8bf3e 100644 --- a/test/testbufferoverrun.cpp +++ b/test/testbufferoverrun.cpp @@ -3155,7 +3155,7 @@ private: " (void)strxfrm(dest,src,1);\n" " (void)strxfrm(dest,src,2);\n"// << "}"); - ASSERT_EQUALS("[test.cpp:5]: (error, inconclusive) Buffer is accessed out of bounds: dest\n", errout.str()); + ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds: dest\n", errout.str()); // destination size is too small check("void f(void) {\n" " const char src[3] = \"abc\";\n" @@ -3181,7 +3181,7 @@ private: " (void)strxfrm(dest,src,1);\n" " (void)strxfrm(dest,src,2);\n" // << "}"); - ASSERT_EQUALS("[test.cpp:5]: (error, inconclusive) Buffer is accessed out of bounds: src\n", errout.str()); + ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds: src\n", errout.str()); } void buffer_overrun_33() { // #2019 @@ -3217,6 +3217,14 @@ private: " free(p);\n" "}\n"); ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: p\n", errout.str()); + + check("void f() {\n" + " char* q = \"0123456789\";\n" + " char* p = (char*)malloc(1);\n" + " strcpy(p, q);\n" + " free(p);\n" + "}\n"); + ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: p\n", errout.str()); } void buffer_overrun_errorpath() { @@ -4231,20 +4239,20 @@ private: " struct Foo x;\n" " mysprintf(x.a, \"aa\");\n" "}", settings); - ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", errout.str()); + ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: x.a\n", errout.str()); // ticket #900 check("void f() {\n" " char *a = new char(30);\n" " mysprintf(a, \"a\");\n" "}", settings); - TODO_ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds.\n", "", errout.str()); + ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: a\n", errout.str()); check("void f(char value) {\n" " char *a = new char(value);\n" " mysprintf(a, \"a\");\n" "}", settings); - TODO_ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds.\n", "", errout.str()); + ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: a\n", errout.str()); // This is out of bounds if 'sizeof(ABC)' is 1 (No padding) check("struct Foo { char a[1]; };\n" @@ -4266,7 +4274,7 @@ private: " struct Foo x;\n" " mysprintf(x.a, \"aa\");\n" "}", settings); - ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", errout.str()); + ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: x.a\n", errout.str()); check("struct Foo {\n" // #6668 - unknown size " char a[LEN];\n"