From: David Carlier Date: Mon, 23 Jul 2018 18:26:38 +0000 (+0000) Subject: [CStringSyntaxChecker] Improvements of strlcpy check X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=13a9f8e3e69510f353bdeb029f135ff77c236567;p=clang [CStringSyntaxChecker] Improvements of strlcpy check Adding an additional check whenwe offset fro the buffer base address. Reviewers: george.karpenkov,NoQ Reviewed By: george.karpenkov Differential Revision: https://reviews.llvm.org/D49633 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@337721 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp b/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp index b1f37f5a34..8b4aa857e7 100644 --- a/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp +++ b/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp @@ -88,6 +88,7 @@ class WalkAST: public StmtVisitor { /// size_t cpy = 4; /// strlcpy(dst, "abcd", sizeof("abcd") - 1); /// strlcpy(dst, "abcd", 4); + /// strlcpy(dst + 3, "abcd", 2); /// strlcpy(dst, "abcd", cpy); bool containsBadStrlcpyPattern(const CallExpr *CE); @@ -149,6 +150,7 @@ bool WalkAST::containsBadStrlcpyPattern(const CallExpr *CE) { const auto *DstArgDecl = dyn_cast(DstArg->IgnoreParenImpCasts()); const auto *LenArgDecl = dyn_cast(LenArg->IgnoreParenLValueCasts()); + uint64_t DstOff = 0; // - size_t dstlen = sizeof(dst) if (LenArgDecl) { const auto *LenArgVal = dyn_cast(LenArgDecl->getDecl()); @@ -158,14 +160,28 @@ bool WalkAST::containsBadStrlcpyPattern(const CallExpr *CE) { // - integral value // We try to figure out if the last argument is possibly longer - // than the destination can possibly handle if its size can be defined + // than the destination can possibly handle if its size can be defined. if (const auto *IL = dyn_cast(LenArg->IgnoreParenImpCasts())) { uint64_t ILRawVal = IL->getValue().getZExtValue(); + + // Case when there is pointer arithmetic on the destination buffer + // especially when we offset from the base decreasing the + // buffer length accordingly. + if (!DstArgDecl) { + if (const auto *BE = dyn_cast(DstArg->IgnoreParenImpCasts())) { + DstArgDecl = dyn_cast(BE->getLHS()->IgnoreParenImpCasts()); + if (BE->getOpcode() == BO_Add) { + if ((IL = dyn_cast(BE->getRHS()->IgnoreParenImpCasts()))) { + DstOff = IL->getValue().getZExtValue(); + } + } + } + } if (DstArgDecl) { if (const auto *Buffer = dyn_cast(DstArgDecl->getType())) { ASTContext &C = BR.getContext(); uint64_t BufferLen = C.getTypeSize(Buffer) / 8; - if (BufferLen < ILRawVal) + if ((BufferLen - DstOff) < ILRawVal) return true; } } diff --git a/test/Analysis/cstring-syntax.c b/test/Analysis/cstring-syntax.c index f64682b418..fe1253bedb 100644 --- a/test/Analysis/cstring-syntax.c +++ b/test/Analysis/cstring-syntax.c @@ -31,4 +31,5 @@ void testStrlcpy(const char *src) { strlcpy(dest, src, badlen); // expected-warning {{The third argument is larger than the size of the input buffer. Replace with the value 'sizeof(dest)` or lower}} strlcpy(dest, src, ulen); strlcpy(dest + 5, src, 5); + strlcpy(dest + 5, src, 10); // expected-warning {{The third argument is larger than the size of the input buffer.}} }