diff options
| author | David Carlier <devnexen@gmail.com> | 2018-07-23 18:26:38 +0000 |
|---|---|---|
| committer | David Carlier <devnexen@gmail.com> | 2018-07-23 18:26:38 +0000 |
| commit | 2ea81639bd61c4480ba57535cb142017b07e2633 (patch) | |
| tree | 23d229d8fc5ee163c2a6673ae446b22c01a6943b /clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp | |
| parent | dbae8cdb89bc876b1c56a051d90ab3dbd4732663 (diff) | |
| download | bcm5719-llvm-2ea81639bd61c4480ba57535cb142017b07e2633.tar.gz bcm5719-llvm-2ea81639bd61c4480ba57535cb142017b07e2633.zip | |
[CStringSyntaxChecker] Improvements of strlcpy check
Adding an additional check whenwe offset fro the buffer base address.
Reviewers: george.karpenkov,NoQ
Reviewed By: george.karpenkov
Differential Revision: https://reviews.llvm.org/D49633
llvm-svn: 337721
Diffstat (limited to 'clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp')
| -rw-r--r-- | clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp index b1f37f5a342..8b4aa857e77 100644 --- a/clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp @@ -88,6 +88,7 @@ class WalkAST: public StmtVisitor<WalkAST> { /// size_t cpy = 4; /// strlcpy(dst, "abcd", sizeof("abcd") - 1); /// strlcpy(dst, "abcd", 4); + /// strlcpy(dst + 3, "abcd", 2); /// strlcpy(dst, "abcd", cpy); bool containsBadStrlcpyPattern(const CallExpr *CE); @@ -149,6 +150,7 @@ bool WalkAST::containsBadStrlcpyPattern(const CallExpr *CE) { const auto *DstArgDecl = dyn_cast<DeclRefExpr>(DstArg->IgnoreParenImpCasts()); const auto *LenArgDecl = dyn_cast<DeclRefExpr>(LenArg->IgnoreParenLValueCasts()); + uint64_t DstOff = 0; // - size_t dstlen = sizeof(dst) if (LenArgDecl) { const auto *LenArgVal = dyn_cast<VarDecl>(LenArgDecl->getDecl()); @@ -158,14 +160,28 @@ bool WalkAST::containsBadStrlcpyPattern(const CallExpr *CE) { // - integral value // We try to figure out if the last argument is possibly longer - // than the destination can possibly handle if its size can be defined + // than the destination can possibly handle if its size can be defined. if (const auto *IL = dyn_cast<IntegerLiteral>(LenArg->IgnoreParenImpCasts())) { uint64_t ILRawVal = IL->getValue().getZExtValue(); + + // Case when there is pointer arithmetic on the destination buffer + // especially when we offset from the base decreasing the + // buffer length accordingly. + if (!DstArgDecl) { + if (const auto *BE = dyn_cast<BinaryOperator>(DstArg->IgnoreParenImpCasts())) { + DstArgDecl = dyn_cast<DeclRefExpr>(BE->getLHS()->IgnoreParenImpCasts()); + if (BE->getOpcode() == BO_Add) { + if ((IL = dyn_cast<IntegerLiteral>(BE->getRHS()->IgnoreParenImpCasts()))) { + DstOff = IL->getValue().getZExtValue(); + } + } + } + } if (DstArgDecl) { if (const auto *Buffer = dyn_cast<ConstantArrayType>(DstArgDecl->getType())) { ASTContext &C = BR.getContext(); uint64_t BufferLen = C.getTypeSize(Buffer) / 8; - if (BufferLen < ILRawVal) + if ((BufferLen - DstOff) < ILRawVal) return true; } } |
