Fix FN with buffer size 1 (#4410)

chrchr-github · web-flow · commit df704361f685 · 2022-08-29T12:24:44.000+02:00
diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
@@ -649,7 +649,7 @@ void CheckBufferOverrun::bufferOverflow()
                 if (bufferSize.intvalue <= 0)
                     continue;
                 // buffer size == 1 => do not warn for dynamic memory
-                if (bufferSize.intvalue == 1) {
+                if (bufferSize.intvalue == 1 && args[argnr]->str() == ".") { // TODO: check if parent was allocated dynamically
                     const Token *tok2 = argtok;
                     while (Token::simpleMatch(tok2->astParent(), "."))
                         tok2 = tok2->astParent();
@@ -667,7 +667,7 @@ void CheckBufferOverrun::bufferOverflow()
                     return checkBufferSize(tok, minsize, args, bufferSize.intvalue, mSettings, mTokenizer);
                 });
                 if (error)
-                    bufferOverflowError(args[argnr], &bufferSize, (bufferSize.intvalue == 1) ? Certainty::inconclusive : Certainty::normal);
+                    bufferOverflowError(args[argnr], &bufferSize, Certainty::normal);
             }
         }
     }
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
@@ -3155,7 +3155,7 @@ class TestBufferOverrun : public TestFixture {
               "    (void)strxfrm(dest,src,1);\n"
               "    (void)strxfrm(dest,src,2);\n"// <<
               "}");
-        ASSERT_EQUALS("[test.cpp:5]: (error, inconclusive) Buffer is accessed out of bounds: dest\n", errout.str());
+        ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds: dest\n", errout.str());
         // destination size is too small
         check("void f(void) {\n"
               "    const char src[3] = \"abc\";\n"
@@ -3181,7 +3181,7 @@ class TestBufferOverrun : public TestFixture {
               "    (void)strxfrm(dest,src,1);\n"
               "    (void)strxfrm(dest,src,2);\n" // <<
               "}");
-        ASSERT_EQUALS("[test.cpp:5]: (error, inconclusive) Buffer is accessed out of bounds: src\n", errout.str());
+        ASSERT_EQUALS("[test.cpp:5]: (error) Buffer is accessed out of bounds: src\n", errout.str());
     }
 
     void buffer_overrun_33() { // #2019
@@ -3217,6 +3217,14 @@ class TestBufferOverrun : public TestFixture {
               "    free(p);\n"
               "}\n");
         ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: p\n", errout.str());
+
+        check("void f() {\n"
+              "    char* q = \"0123456789\";\n"
+              "    char* p = (char*)malloc(1);\n"
+              "    strcpy(p, q);\n"
+              "    free(p);\n"
+              "}\n");
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: p\n", errout.str());
     }
 
     void buffer_overrun_errorpath() {
@@ -4231,20 +4239,20 @@ class TestBufferOverrun : public TestFixture {
               "  struct Foo x;\n"
               "  mysprintf(x.a, \"aa\");\n"
               "}", settings);
-        ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", errout.str());
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: x.a\n", errout.str());
 
         // ticket #900
         check("void f() {\n"
               "  char *a = new char(30);\n"
               "  mysprintf(a, \"a\");\n"
               "}", settings);
-        TODO_ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds.\n", "", errout.str());
+        ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: a\n", errout.str());
 
         check("void f(char value) {\n"
               "  char *a = new char(value);\n"
               "  mysprintf(a, \"a\");\n"
               "}", settings);
-        TODO_ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds.\n", "", errout.str());
+        ASSERT_EQUALS("[test.cpp:3]: (error) Buffer is accessed out of bounds: a\n", errout.str());
 
         // This is out of bounds if 'sizeof(ABC)' is 1 (No padding)
         check("struct Foo { char a[1]; };\n"
@@ -4266,7 +4274,7 @@ class TestBufferOverrun : public TestFixture {
               "  struct Foo x;\n"
               "  mysprintf(x.a, \"aa\");\n"
               "}", settings);
-        ASSERT_EQUALS("[test.cpp:4]: (error, inconclusive) Buffer is accessed out of bounds: x.a\n", errout.str());
+        ASSERT_EQUALS("[test.cpp:4]: (error) Buffer is accessed out of bounds: x.a\n", errout.str());
 
         check("struct Foo {\n" // #6668 - unknown size
               "  char a[LEN];\n"

Original file line number	Diff line number	Diff line change
`@@ -649,7 +649,7 @@ void CheckBufferOverrun::bufferOverflow()`
`649`	`649`	`if (bufferSize.intvalue <= 0)`
`650`	`650`	`continue;`
`651`	`651`	`// buffer size == 1 => do not warn for dynamic memory`
`652`		`- if (bufferSize.intvalue == 1) {`
	`652`	`+ if (bufferSize.intvalue == 1 && args[argnr]->str() == ".") { // TODO: check if parent was allocated dynamically`
`653`	`653`	`const Token *tok2 = argtok;`
`654`	`654`	`while (Token::simpleMatch(tok2->astParent(), "."))`
`655`	`655`	`tok2 = tok2->astParent();`
`@@ -667,7 +667,7 @@ void CheckBufferOverrun::bufferOverflow()`
`667`	`667`	`return checkBufferSize(tok, minsize, args, bufferSize.intvalue, mSettings, mTokenizer);`
`668`	`668`	`});`
`669`	`669`	`if (error)`
`670`		`- bufferOverflowError(args[argnr], &bufferSize, (bufferSize.intvalue == 1) ? Certainty::inconclusive : Certainty::normal);`
	`670`	`+ bufferOverflowError(args[argnr], &bufferSize, Certainty::normal);`
`671`	`671`	`}`
`672`	`672`	`}`
`673`	`673`	`}`