[ ] Command: infer run --reactive --bufferoverrun --pulse --enable-issue-type ARRAY_OUT_OF_BOUNDS_L1 -- clang -c strn.c (also tried BUFFER_OVERRUN_Ux, BUFFER_OVERRUN_Lx, and ARRAY_OUT_OF_BOUNDS_Lx where x ranges from 1-6.)
[ ] The full output in a paste:
Capturing in make/cc mode...
Found 1 (out of 1) source file to analyze in /home/../infer/infer-out
1/1 [#################################################] 100% 4.458ms
No issues found
[ ] Code:
include
include
char *src="demo";
int main(){
char dest[4];
strncpy(dest,src,sizeof(dest));
printf("str=%s\n",dest);
}
I cannot get Infer to find the buffer overflow caused in strncpy(). Please advise.
To be pedantic, technically there is no buffer overflow in strncpy here. The problem is that the code will pass a non \0 terminated string to printf( "%s") as strncpy won't append it, if there is no space.
[ ] Infer version 1.1.0
[ ] Debian 11
[ ] Command: infer run --reactive --bufferoverrun --pulse --enable-issue-type ARRAY_OUT_OF_BOUNDS_L1 -- clang -c strn.c (also tried BUFFER_OVERRUN_Ux, BUFFER_OVERRUN_Lx, and ARRAY_OUT_OF_BOUNDS_Lx where x ranges from 1-6.)
[ ] The full output in a paste: Capturing in make/cc mode... Found 1 (out of 1) source file to analyze in /home/../infer/infer-out 1/1 [#################################################] 100% 4.458ms No issues found
[ ] Code:
include
include
char *src="demo";
int main(){ char dest[4]; strncpy(dest,src,sizeof(dest)); printf("str=%s\n",dest); }
I cannot get Infer to find the buffer overflow caused in strncpy(). Please advise.