const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
if (!ER)
- return;
+ return;
DefinedOrUnknownSVal &Idx = cast<DefinedOrUnknownSVal>(ER->getIndex());
+ // FIXME: All of this out-of-bounds checking should eventually be refactored into a
+ // common place.
+
// Zero index is always in bound, this also passes ElementRegions created for
// pointer casts.
if (Idx.isZeroConstant())
if (!N)
return;
+ // FIXME: This bug correspond to CWE-466. Eventually we should have bug types explicitly
+ // reference such exploit categories (when applicable).
if (!BT)
- BT = new BuiltinBug("Return of Pointer Value Outside of Expected Range");
-
+ BT = new BuiltinBug("Return of pointer value outside of expected range",
+ "Returned pointer value points outside the original object (potential buffer overflow)");
+
+ // FIXME: It would be nice to eventually make this diagnostic more clear, e.g., by referencing
+ // the original declaration or by saying *why* this reference is outside the range.
+
// Generate a report for this bug.
RangedBugReport *report =
new RangedBugReport(*BT, BT->getDescription().c_str(), N);
- report->addRange(RS->getSourceRange());
-
+ report->addRange(RetE->getSourceRange());
+
C.EmitReport(report);
}
}
static void pr5316(pr5316_REFRESH_ELEMENT *dst, const pr5316_REFRESH_ELEMENT *src) {
while ((*dst++ = *src++).chr != L'\0') ;
}
+
+//===----------------------------------------------------------------------===//
+// Exercise creating ElementRegion with symbolic super region.
+//===----------------------------------------------------------------------===//
+void element_region_with_symbolic_superregion(int* p) {
+ int *x;
+ int a;
+ if (p[0] == 1)
+ x = &a;
+ if (p[0] == 1)
+ (void)*x; // no-warning
+}
+
+//===----------------------------------------------------------------------===//
+// Test returning an out-of-bounds pointer (CWE-466)
+//===----------------------------------------------------------------------===//
+
+static int test_cwe466_return_outofbounds_pointer_a[10];
+int *test_cwe466_return_outofbounds_pointer() {
+ int *p = test_cwe466_return_outofbounds_pointer_a+10;
+ return p; // expected-warning{{Returned pointer value points outside the original object}}
+}
+
+++ /dev/null
-// RUN: clang-cc -analyze -checker-cfref -analyzer-store=region -verify %s
-
-// Region store must be enabled for tests in this file.
-
-// Exercise creating ElementRegion with symbolic super region.
-void foo(int* p) {
- int *x;
- int a;
- if (p[0] == 1)
- x = &a;
- if (p[0] == 1)
- (void)*x; // no-warning
-}
-
-int a[10];
-
-int *f0() {
- int *p = a+10;
- return p; // expected-warning{{Return of Pointer Value Outside of Expected Range}}
-}
projects / clang / commitdiff