Closed dkrupp closed 8 years ago
Please write in which projects you find this bug? During tomorrow or tonight, I'll see what can be a problem .
try this test file
/*
* overrun.cpp
*
* Created on: Jul 25, 2016
* Author: ednikru
*/
typedef unsigned int size_t;
void* malloc( size_t size );
size_t strlen( const char* str );
int sprintf( char* buffer, const char* format, ... );
char* strcpy( char* dest, const char* src );
void free( void* ptr );
bool unknown_range_check(unsigned);
bool unknown_range_check2(unsigned*);
void simple_test_heap_stack(){
char a[10];
a[10]='a';//err found by: warn_array_index_exceeds_bounds warning: array index 10 is past the end of the array (which contains 10 elements)
a[-1];//err found by: warn_array_index_precedes_bounds warning: array index -1 is before the beginning of the array
char* da=(char*) malloc(sizeof(char)*10);
da[10]='a';//err
da[-1];//err
free(da);
char *dda=new char[10];
dda[10]='a';//err
dda[-1];//err
delete[](dda);
}
void dynamic_test(size_t size){
char arr[size];
arr[size]='a';//err: out of bounds whatever the value of size
}
//test if out of bound check is ok if
//the array is passed as argument
int get_element(char *arr,unsigned index){
return arr[index];//err: found by:ArrayBoundChecker, alpha.security.ArrayBoundV2
}
void test_arg(){
char ar[10];
get_element(ar,10);
}
void out_of_bounds_loop() {
int buffer[10];
int i = 0;
for(; i <= 10; i++) {
buffer[i] = i;//err: for i==10; found by: ArrayBoundChecker
}
}
//check array accesses when pointer arithmetic is used
void pointer_arithm() {
char arr[10];
*(arr+9)='\0';//ok
*(arr+10)='\0';//err: out of bounds; found by:ArrayBoundChecker.cpp,alpha.security.ArrayBoundV2
*(arr+sizeof(arr))='\0';//err: out of bounds
}
//do not report out of bound when
//an unknown function could
//potentially do range_check
int test_unknown_range_check_get(unsigned index,char *array){
if (unknown_range_check(index))//assume range check here
return array[index];//ok ; found by ArrayBoundChecker.cpp,alpha.security.ArrayBoundV2, but should not; introduce a config option
else
return -1;
}
int test_unknown_range_check_get2(unsigned index,char *array){
if (unknown_range_check2(&index))//assume range check here; index may change
return array[index];//ok ; found but should not
else
return -1;
}
unsigned global_max;//global variable
int test_unknown_range_check_get_global(unsigned index,char *array){
if (index<global_max)//assume range check here
return array[index];//do not warn here since we do not know the value of global_max; found by ArrayBoundChecker,alpha.security.ArrayBoundV2 but should not; introduce config option
else
return -1;
}
void test_unkown_range_check(){
char a[128];
test_unknown_range_check_get(128,a);
test_unknown_range_check_get_global(128,a);
test_unknown_range_check_get2(128,a);
}
void test_strlen(){
char* buf1 = (char*) malloc (sizeof(char) * strlen("hello"));
strcpy(buf1,"hello");//error. found by CStringChecker.cpp
free(buf1);
char *buf2=new char[(strlen("hello"))];
strcpy(buf2,"hello");//error space not allocated for \0
delete[](buf2);
char* buf3 = (char*) malloc (sizeof(char) * strlen("hello")+1);
strcpy(buf3,"hello");//OK
free(buf3);
size_t size=strlen("hello");
char buf4[size];
strcpy(buf4,"hello");//err out of bound; found by CStringChecker.cpp
char buf5[strlen("hello")+1];
strcpy(buf5,"hello");//ok
char* buf6 = (char*) malloc (sizeof(char) * (sizeof("hello")));
strcpy(buf6,"hello");//ok
free(buf6);
}
void test_sprintf(){
char buff[4];
sprintf(buff,"%s","hello");//err: out of bounds write into buff
}
void test_strcpy(){
char buff[4];
strcpy(buff,"hello");//err. found by CStringChecker.cpp
}
The list contains an initial empty element and then its first child is .unitialized etc. see the screenshot