maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

[analyzer] CStringSyntaxChecks: Fix an off-by-one error in the strlcat() check. 

oth strlcat and strlcpy cut off their safe bound for the argument value
at sizeof(destination). There's no need to subtract 1 in only one
of these cases.

Differential Revision: https://reviews.llvm.org/D57981

rdar://problem/47873212

llvm-svn: 353583
This commit is contained in:
Artem Dergachev 2019-02-08 23:59:52 +00:00
parent afd612ece9
commit 9197056419
2 changed files with 4 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp
View File

@ -153,8 +153,6 @@ bool WalkAST::containsBadStrncatPattern(const CallExpr *CE) {
bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
if (CE->getNumArgs() != 3)
return false;
const FunctionDecl *FD = CE->getDirectCallee();
bool Append = CheckerContext::isCLibraryFunction(FD, "strlcat");
const Expr *DstArg = CE->getArg(0);
const Expr *LenArg = CE->getArg(2);
@ -194,13 +192,8 @@ bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
ASTContext &C = BR.getContext();
uint64_t BufferLen = C.getTypeSize(Buffer) / 8;
auto RemainingBufferLen = BufferLen - DstOff;
if (Append) {
if (RemainingBufferLen <= ILRawVal)
return true;
} else {
if (RemainingBufferLen < ILRawVal)
return true;
}
if (RemainingBufferLen < ILRawVal)
return true;
}
}
}

2
clang/test/Analysis/cstring-syntax.c
View File

@ -33,6 +33,7 @@ void testStrlcpy(const char *src) {
strlcpy(dest, src, ulen);
strlcpy(dest + 5, src, 5);
strlcpy(dest + 5, src, 10); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
strlcpy(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
}
void testStrlcat(const char *src) {
@ -51,4 +52,5 @@ void testStrlcat(const char *src) {
strlcat(dest, src, ulen);
strlcpy(dest, src, 5);
strlcat(dest + 5, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
strlcat(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
}