forked from OSchip/llvm-project
[analyzer] CStringSyntaxChecks: Fix an off-by-one error in the strlcat() check.
oth strlcat and strlcpy cut off their safe bound for the argument value at sizeof(destination). There's no need to subtract 1 in only one of these cases. Differential Revision: https://reviews.llvm.org/D57981 rdar://problem/47873212 llvm-svn: 353583
This commit is contained in:
parent
afd612ece9
commit
9197056419
clang
|
@ -153,8 +153,6 @@ bool WalkAST::containsBadStrncatPattern(const CallExpr *CE) {
|
||||||
bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
|
bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
|
||||||
if (CE->getNumArgs() != 3)
|
if (CE->getNumArgs() != 3)
|
||||||
return false;
|
return false;
|
||||||
const FunctionDecl *FD = CE->getDirectCallee();
|
|
||||||
bool Append = CheckerContext::isCLibraryFunction(FD, "strlcat");
|
|
||||||
const Expr *DstArg = CE->getArg(0);
|
const Expr *DstArg = CE->getArg(0);
|
||||||
const Expr *LenArg = CE->getArg(2);
|
const Expr *LenArg = CE->getArg(2);
|
||||||
|
|
||||||
|
@ -194,16 +192,11 @@ bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
|
||||||
ASTContext &C = BR.getContext();
|
ASTContext &C = BR.getContext();
|
||||||
uint64_t BufferLen = C.getTypeSize(Buffer) / 8;
|
uint64_t BufferLen = C.getTypeSize(Buffer) / 8;
|
||||||
auto RemainingBufferLen = BufferLen - DstOff;
|
auto RemainingBufferLen = BufferLen - DstOff;
|
||||||
if (Append) {
|
|
||||||
if (RemainingBufferLen <= ILRawVal)
|
|
||||||
return true;
|
|
||||||
} else {
|
|
||||||
if (RemainingBufferLen < ILRawVal)
|
if (RemainingBufferLen < ILRawVal)
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,6 +33,7 @@ void testStrlcpy(const char *src) {
|
||||||
strlcpy(dest, src, ulen);
|
strlcpy(dest, src, ulen);
|
||||||
strlcpy(dest + 5, src, 5);
|
strlcpy(dest + 5, src, 5);
|
||||||
strlcpy(dest + 5, src, 10); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
|
strlcpy(dest + 5, src, 10); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
|
||||||
|
strlcpy(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
|
||||||
}
|
}
|
||||||
|
|
||||||
void testStrlcat(const char *src) {
|
void testStrlcat(const char *src) {
|
||||||
|
@ -51,4 +52,5 @@ void testStrlcat(const char *src) {
|
||||||
strlcat(dest, src, ulen);
|
strlcat(dest, src, ulen);
|
||||||
strlcpy(dest, src, 5);
|
strlcpy(dest, src, 5);
|
||||||
strlcat(dest + 5, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
|
strlcat(dest + 5, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
|
||||||
|
strlcat(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue