#9024 Crash caused by package "procserv" in lib/token.h:921 function Token::getKnownIntValue - Fix and test for alternative code example.

2019-03-08 11:07:33 +01:00 · 2019-03-08 11:07:33 +01:00 · eb9edbc177
parent ecff903b4f
commit eb9edbc177
2 changed files with 9 additions and 0 deletions
--- a/lib/checkbufferoverrun.cpp
+++ b/lib/checkbufferoverrun.cpp
@ -1019,6 +1019,7 @@ void CheckBufferOverrun::checkScope_inner(const Token *tok, const ArrayInfo &arr
                                           args[1]->hasKnownValue() &&
                                           args[1]->values().front().isTokValue() &&
                                           args[1]->values().front().tokvalue->tokType() == Token::eString &&
+                                           knownSize &&
                                           Token::getStrLength(args[1]->values().front().tokvalue) < sizeArg->getKnownIntValue());

            // check for strncpy which is not terminated
--- a/test/testbufferoverrun.cpp
+++ b/test/testbufferoverrun.cpp
@ -229,6 +229,7 @@ private:
        TEST_CASE(crash3);  // Ticket #5426 - crash
        TEST_CASE(crash4);  // Ticket #8679 - crash
        TEST_CASE(crash5);  // Ticket #8644 - crash
+        TEST_CASE(crash6);  // Ticket #9024 - crash

        TEST_CASE(executionPaths1);
        TEST_CASE(executionPaths2);
@ -3702,6 +3703,13 @@ private:
              "}");
    }

+    void crash6() { // 8644 - token has varId() but variable() is null
+        check("void start(char* name) {\n"
+              "char snapname[64] = { 0 }; \n"
+              "strncpy(snapname, \"snapshot\", arrayLength(snapname)); \n"
+              "}");
+    }
+
    void executionPaths1() {
        check("void f(int a)\n"
              "{\n"