Skip to content

Fix #8295 FN (error) Buffer is accessed out of bounds (wcpncpy, wcsncpy) #4412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
orbitcowboy merged 3 commits into from
Aug 29, 2022
Merged

Fix #8295 FN (error) Buffer is accessed out of bounds (wcpncpy, wcsncpy) #4412

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2238c47
Fix #8295 FN (error) Buffer is accessed out of bounds (wcpncpy, wcsncpy)
chrchr-github Aug 27, 2022
b76e74e
Fix cfg, validation
chrchr-github Aug 27, 2022
bbd9e96
Fix validation
chrchr-github Aug 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion cfg/cppcheck-cfg.rng
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,6 @@
<attribute name="type">
<choice>
<value>strlen</value>
<value>argvalue</value>
<value>sizeof</value>
<value>mul</value>
</choice>
Expand All @@ -310,6 +309,24 @@
<attribute name="baseType"><text/></attribute>
</optional>
</element>
<element name="minsize">
<attribute name="type">
<choice>
<value>argvalue</value>
</choice>
</attribute>
<attribute name="arg">
<ref name="ARGNO"/>
</attribute>
<optional>
<attribute name="arg2">
<ref name="ARGNO"/>
</attribute>
</optional>
<optional>
<attribute name="baseType"><text/></attribute>
</optional>
</element>
</choice>
</zeroOrMore>
<optional>
Expand Down
2 changes: 1 addition & 1 deletion cfg/posix.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5449,7 +5449,7 @@ The function 'mktemp' is considered to be dangerous due to race conditions and s
<not-overlapping-data ptr1-arg="1" ptr2-arg="2" size-arg="3"/>
<arg nr="1" direction="out">
<not-null/>
<minsize type="argvalue" arg="3"/>
<minsize type="argvalue" arg="3" baseType="wchar_t"/>
</arg>
<arg nr="2" direction="in">
<not-null/>
Expand Down
2 changes: 1 addition & 1 deletion cfg/std.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5359,7 +5359,7 @@ The obsolete function 'gets' is called. With 'gets' you'll get a buffer overrun
<not-overlapping-data ptr1-arg="1" ptr2-arg="2" size-arg="3"/>
<arg nr="1">
<not-null/>
<minsize type="argvalue" arg="3"/>
<minsize type="argvalue" arg="3" baseType="wchar_t"/>
</arg>
<arg nr="2" direction="in">
<not-null/>
Expand Down
12 changes: 9 additions & 3 deletions lib/checkbufferoverrun.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,10 +593,16 @@ static bool checkBufferSize(const Token *ftok, const Library::ArgumentChecks::Mi
return Token::getStrLength(strtoken) < bufferSize;
}
break;
case Library::ArgumentChecks::MinSize::Type::ARGVALUE:
if (arg && arg->hasKnownIntValue())
return arg->getKnownIntValue() <= bufferSize;
case Library::ArgumentChecks::MinSize::Type::ARGVALUE: {
if (arg && arg->hasKnownIntValue()) {
MathLib::bigint myMinsize = arg->getKnownIntValue();
unsigned int baseSize = tokenizer->sizeOfType(minsize.baseType);
if (baseSize != 0)
myMinsize *= baseSize;
return myMinsize <= bufferSize;
}
break;
}
case Library::ArgumentChecks::MinSize::Type::SIZEOF:
// TODO
break;
Expand Down
6 changes: 3 additions & 3 deletions lib/library.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -783,9 +783,6 @@ Library::Error Library::loadFunction(const tinyxml2::XMLElement * const node, co
return Error(ErrorCode::BAD_ATTRIBUTE_VALUE, valueattr);
ac.minsizes.emplace_back(type, 0);
ac.minsizes.back().value = minsizevalue;
const char* baseTypeAttr = argnode->Attribute("baseType");
if (baseTypeAttr)
ac.minsizes.back().baseType = baseTypeAttr;
} else {
const char *argattr = argnode->Attribute("arg");
if (!argattr)
Expand All @@ -804,6 +801,9 @@ Library::Error Library::loadFunction(const tinyxml2::XMLElement * const node, co
ac.minsizes.back().arg2 = arg2attr[0] - '0';
}
}
const char* baseTypeAttr = argnode->Attribute("baseType"); // used by VALUE, ARGVALUE
if (baseTypeAttr)
ac.minsizes.back().baseType = baseTypeAttr;
}

else if (argnodename == "iterator") {
Expand Down
8 changes: 8 additions & 0 deletions test/cfg/posix.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -564,6 +564,14 @@ size_t bufferAccessOutOfBounds_strnlen(const char *s, size_t maxlen)
return len;
}

void bufferAccessOutOfBounds_wcpncpy()
{
wchar_t s[16];
wcpncpy(s, L"abc", 16);
// cppcheck-suppress bufferAccessOutOfBounds
wcpncpy(s, L"abc", 17);
}

size_t nullPointer_strnlen(const char *s, size_t maxlen)
{
// No warning shall be shown:
Expand Down
8 changes: 8 additions & 0 deletions test/cfg/std.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -556,6 +556,14 @@ void bufferAccessOutOfBounds_wcsftime(wchar_t* ptr, size_t maxsize, const wchar_
(void)wcsftime(ptr, maxsize, format, timeptr);
}

void bufferAccessOutOfBounds_wcsncpy()
{
wchar_t s[16];
wcsncpy(s, L"abc", 16);
// cppcheck-suppress bufferAccessOutOfBounds
wcsncpy(s, L"abc", 17);
}

int nullPointer_wcsncmp(const wchar_t* s1, const wchar_t* s2, size_t n)
{
// cppcheck-suppress nullPointer
Expand Down