File tree Expand file tree Collapse file tree 2 files changed +11
-13
lines changed
cpp/ql/test/query-tests/Critical/OverflowStatic Expand file tree Collapse file tree 2 files changed +11
-13
lines changed Original file line number Diff line number Diff line change 99| test.c:15:9:15:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[6]' is accessed here. |
1010| test.c:20:9:20:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[5]' is accessed here. |
1111| test.c:21:9:21:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[6]' is accessed here. |
12- | test.c:39:3:39:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[7]' is accessed here. |
13- | test.c:40:3:40:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[8]' is accessed here. |
14- | test.c:52:3:52:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
15- | test.c:59:3:59:26 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
16- | test.c:66:3:66:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
12+ | test.c:47:3:47:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
13+ | test.c:54:3:54:26 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
14+ | test.c:61:3:61:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
1715| test.c:72:3:72:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[1]' is accessed here. |
1816| test.cpp:19:3:19:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer1' has 3 elements. |
1917| test.cpp:20:3:20:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer2' has 3 elements. |
Original file line number Diff line number Diff line change @@ -28,16 +28,11 @@ void f(void) {
2828}
2929
3030void * malloc (long unsigned int );
31- typedef struct {
32- char len ;
33- char buf [1 ];
34- } var_buf ;
35-
3631void test_buffer_sentinal () {
37- var_buf * b = malloc (10 ); // len(buf.buffer) effectively 8
32+ struct { char len ; char buf [ 1 ]; } * b = malloc (10 ); // len(buf.buffer) effectively 8
3833 b -> buf [0 ] = 0 ; // GOOD
39- b -> buf [7 ] = 0 ; // GOOD [FALSE POSITIVE]
40- b -> buf [8 ] = 0 ; // BAD
34+ b -> buf [7 ] = 0 ; // GOOD
35+ b -> buf [8 ] = 0 ; // BAD [NOT DETECTED]
4136}
4237
4338union u {
@@ -66,6 +61,11 @@ void union_test2() {
6661 u .ptr [sizeof (u )] = 0 ; // BAD
6762}
6863
64+ typedef struct {
65+ char len ;
66+ char buf [1 ];
67+ } var_buf ;
68+
6969void test_alloc () {
7070 // Special case of taking sizeof without any addition or multiplications
7171 var_buf * b = malloc (sizeof (var_buf ));
You can’t perform that action at this time.
0 commit comments