Cppcheck
Public Member Functions | Private Member Functions | Static Private Member Functions | List of all members
CheckBufferOverrun Class Reference
Checks

buffer overruns and array index out of bounds More...

#include <checkbufferoverrun.h>

Inheritance diagram for CheckBufferOverrun:
Check

Public Member Functions

 CheckBufferOverrun ()
 This constructor is used when registering the CheckClass. More...
 
- Public Member Functions inherited from Check
 Check (const std::string &aname)
 This constructor is used when registering the CheckClass. More...
 
virtual ~Check ()
 
 Check (const Check &)=delete
 
Checkoperator= (const Check &)=delete
 
const std::string & name () const
 class name, used to generate documentation More...
 

Private Member Functions

 CheckBufferOverrun (const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger)
 This constructor is used when running checks. More...
 
void runChecks (const Tokenizer &tokenizer, ErrorLogger *errorLogger) override
 run checks, the token list is not simplified More...
 
void getErrorMessages (ErrorLogger *errorLogger, const Settings *settings) const override
 get error messages More...
 
Check::FileInfogetFileInfo (const Tokenizer &tokenizer, const Settings &settings) const override
 Parse current TU and extract file info. More...
 
bool analyseWholeProgram (const CTU::FileInfo *ctu, const std::list< Check::FileInfo * > &fileInfo, const Settings &settings, ErrorLogger &errorLogger) override
 Analyse all file infos for all TU. More...
 
void arrayIndex ()
 
void arrayIndexError (const Token *tok, const std::vector< Dimension > &dimensions, const std::vector< ValueFlow::Value > &indexes)
 
void negativeIndexError (const Token *tok, const std::vector< Dimension > &dimensions, const std::vector< ValueFlow::Value > &indexes)
 
void pointerArithmetic ()
 
void pointerArithmeticError (const Token *tok, const Token *indexToken, const ValueFlow::Value *indexValue)
 
void bufferOverflow ()
 
void bufferOverflowError (const Token *tok, const ValueFlow::Value *value, Certainty certainty)
 
void arrayIndexThenCheck ()
 
void arrayIndexThenCheckError (const Token *tok, const std::string &indexName)
 
void stringNotZeroTerminated ()
 
void terminateStrncpyError (const Token *tok, const std::string &varname)
 
void argumentSize ()
 
void argumentSizeError (const Token *tok, const std::string &functionName, nonneg int paramIndex, const std::string &paramExpression, const Variable *paramVar, const Variable *functionArg)
 
void negativeArraySize ()
 
void negativeArraySizeError (const Token *tok)
 
void negativeMemoryAllocationSizeError (const Token *tok, const ValueFlow::Value *value)
 
void objectIndex ()
 
void objectIndexError (const Token *tok, const ValueFlow::Value *v, bool known)
 
ValueFlow::Value getBufferSize (const Token *bufTok) const
 
Check::FileInfoloadFileInfoFromXml (const tinyxml2::XMLElement *xmlElement) const override
 
std::string classInfo () const override
 get information about this class, used to generate documentation More...
 

Static Private Member Functions

static bool isCtuUnsafeBufferUsage (const Settings &settings, const Token *argtok, MathLib::bigint *offset, int type)
 
static bool isCtuUnsafeArrayIndex (const Settings &settings, const Token *argtok, MathLib::bigint *offset)
 
static bool isCtuUnsafePointerArith (const Settings &settings, const Token *argtok, MathLib::bigint *offset)
 
static bool analyseWholeProgram1 (const std::map< std::string, std::list< const CTU::FileInfo::CallBase * >> &callsMap, const CTU::FileInfo::UnsafeUsage &unsafeUsage, int type, ErrorLogger &errorLogger)
 
static std::string myName ()
 

Additional Inherited Members

- Static Public Member Functions inherited from Check
static std::list< Check * > & instances ()
 List of registered check classes. More...
 
static void writeToErrorList (const ErrorMessage &errmsg)
 Write given error to stdout in xml format. More...
 
- Protected Member Functions inherited from Check
 Check (std::string aname, const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger)
 This constructor is used when running checks. More...
 
void reportError (const Token *tok, const Severity severity, const std::string &id, const std::string &msg)
 report an error More...
 
void reportError (const Token *tok, const Severity severity, const std::string &id, const std::string &msg, const CWE &cwe, Certainty certainty)
 report an error More...
 
void reportError (const std::list< const Token * > &callstack, Severity severity, const std::string &id, const std::string &msg)
 report an error More...
 
void reportError (const std::list< const Token * > &callstack, Severity severity, const std::string &id, const std::string &msg, const CWE &cwe, Certainty certainty)
 report an error More...
 
void reportError (const ErrorPath &errorPath, Severity severity, const char id[], const std::string &msg, const CWE &cwe, Certainty certainty)
 
void logChecker (const char id[])
 log checker More...
 
ErrorPath getErrorPath (const Token *errtok, const ValueFlow::Value *value, std::string bug) const
 
bool wrongData (const Token *tok, const char *str)
 Use WRONG_DATA in checkers when you check for wrong data. More...
 
- Static Protected Member Functions inherited from Check
static std::string getMessageId (const ValueFlow::Value &value, const char id[])
 
- Protected Attributes inherited from Check
const Tokenizer *const mTokenizer {}
 
const Settings *const mSettings {}
 
ErrorLogger *const mErrorLogger {}
 

Detailed Description

buffer overruns and array index out of bounds

Buffer overrun and array index out of bounds are pretty much the same. But I generally use 'array index' if the code contains []. And the given index is out of bounds. I generally use 'buffer overrun' if you for example call a strcpy or other function and pass a buffer and reads or writes too much data.

Definition at line 59 of file checkbufferoverrun.h.

Constructor & Destructor Documentation

◆ CheckBufferOverrun() [1/2]

CheckBufferOverrun::CheckBufferOverrun ( )
inline

This constructor is used when registering the CheckClass.

Definition at line 62 of file checkbufferoverrun.h.

◆ CheckBufferOverrun() [2/2]

CheckBufferOverrun::CheckBufferOverrun ( const Tokenizer tokenizer,
const Settings settings,
ErrorLogger errorLogger 
)
inlineprivate

This constructor is used when running checks.

Definition at line 66 of file checkbufferoverrun.h.

Member Function Documentation

◆ analyseWholeProgram()

bool CheckBufferOverrun::analyseWholeProgram ( const CTU::FileInfo ctu,
const std::list< Check::FileInfo * > &  fileInfo,
const Settings settings,
ErrorLogger errorLogger 
)
overrideprivatevirtual

Analyse all file infos for all TU.

Reimplemented from Check.

Definition at line 986 of file checkbufferoverrun.cpp.

References analyseWholeProgram1(), CTU::FileInfo::getCallsMap(), and Check::logChecker().

◆ analyseWholeProgram1()

bool CheckBufferOverrun::analyseWholeProgram1 ( const std::map< std::string, std::list< const CTU::FileInfo::CallBase * >> &  callsMap,
const CTU::FileInfo::UnsafeUsage unsafeUsage,
int  type,
ErrorLogger errorLogger 
)
staticprivate

Definition at line 1011 of file checkbufferoverrun.cpp.

References CTU::FileInfo::bufferOverflow, CTU::FileInfo::FunctionCall::callArgValue, CWE_BUFFER_OVERRUN, CWE_BUFFER_UNDERRUN, CWE_POINTER_ARITHMETIC_OVERFLOW, emptyString, error, CTU::FileInfo::getErrorPath(), CTU::FileInfo::UnsafeUsage::myArgumentName, normal, ErrorLogger::reportErr(), and CTU::FileInfo::UnsafeUsage::value.

Referenced by analyseWholeProgram().

◆ argumentSize()

void CheckBufferOverrun::argumentSize ( )
private

Definition at line 820 of file checkbufferoverrun.cpp.

References argumentSizeError(), Token::astOperand2(), Scope::bodyEnd, Scope::bodyStart, Variable::dimensions(), SymbolDatabase::functionScopes, getArguments(), Function::getArgumentVar(), Tokenizer::getSymbolDatabase(), Variable::isArray(), SimpleEnableGroup< T >::isEnabled(), Settings::isPremiumEnabled(), Check::logChecker(), Token::Match(), Check::mSettings, Check::mTokenizer, Variable::nameToken(), Token::next(), nonneg, Settings::severity, ValueType::type, Variable::valueType(), Token::variable(), and warning.

Referenced by runChecks().

◆ argumentSizeError()

void CheckBufferOverrun::argumentSizeError ( const Token tok,
const std::string &  functionName,
nonneg int  paramIndex,
const std::string &  paramExpression,
const Variable paramVar,
const Variable functionArg 
)
private

Definition at line 868 of file checkbufferoverrun.cpp.

References CWE_ARGUMENT_SIZE, getOrdinalText(), Variable::name(), Variable::nameToken(), normal, Check::reportError(), and warning.

Referenced by argumentSize(), and getErrorMessages().

◆ arrayIndex()

void CheckBufferOverrun::arrayIndex ( )
private

Definition at line 283 of file checkbufferoverrun.cpp.

References arrayIndexError(), astIsContainer(), Token::astOperand1(), Token::astOperand2(), Token::astParent(), Scope::bodyEnd, Scope::bodyStart, Variable::declarationId(), Token::eString, findVariableChanged(), getDimensionsEtc(), getOverrunIndexValues(), Variable::isArgument(), Check::logChecker(), Token::Match(), Check::mSettings, Check::mTokenizer, negativeIndexError(), Token::next(), Variable::scope(), Token::scope(), Token::simpleMatch(), Token::str(), Tokenizer::tokens(), Token::tokType(), ValueFlow::Value::unknown(), and Token::variable().

Referenced by loadFileInfoFromXml(), and runChecks().

◆ arrayIndexError()

void CheckBufferOverrun::arrayIndexError ( const Token tok,
const std::vector< Dimension > &  dimensions,
const std::vector< ValueFlow::Value > &  indexes 
)
private

Definition at line 404 of file checkbufferoverrun.cpp.

References arrayIndexMessage(), ValueFlow::Value::condition, CWE_BUFFER_OVERRUN, error, ValueFlow::Value::errorPath, ValueFlow::Value::errorSeverity(), Check::getErrorPath(), inconclusive, SimpleEnableGroup< T >::isEnabled(), ValueFlow::Value::isInconclusive(), Check::mSettings, normal, Check::reportError(), Settings::severity, and warning.

Referenced by arrayIndex(), and getErrorMessages().

◆ arrayIndexThenCheck()

void CheckBufferOverrun::arrayIndexThenCheck ( )
private

Definition at line 697 of file checkbufferoverrun.cpp.

References arrayIndexThenCheckError(), Token::astOperand1(), Token::astParent(), Scope::bodyEnd, Scope::bodyStart, Token::eLogicalOp, SymbolDatabase::functionScopes, Tokenizer::getSymbolDatabase(), SimpleEnableGroup< T >::isEnabled(), Check::logChecker(), Token::Match(), Check::mSettings, Check::mTokenizer, Token::next(), portability, Settings::severity, Token::simpleMatch(), Token::str(), and Token::tokType().

Referenced by runChecks().

◆ arrayIndexThenCheckError()

void CheckBufferOverrun::arrayIndexThenCheckError ( const Token tok,
const std::string &  indexName 
)
private

Definition at line 741 of file checkbufferoverrun.cpp.

References CWE_ARRAY_INDEX_THEN_CHECK, normal, Check::reportError(), and style.

Referenced by arrayIndexThenCheck(), and getErrorMessages().

◆ bufferOverflow()

void CheckBufferOverrun::bufferOverflow ( )
private

Definition at line 633 of file checkbufferoverrun.cpp.

References Library::argminsizes(), Token::astOperand1(), Token::astOperand2(), Token::astParent(), Scope::bodyEnd, Scope::bodyStart, bufferOverflowError(), error, SymbolDatabase::functionScopes, getArguments(), getBufferSize(), Tokenizer::getSymbolDatabase(), Library::hasminsize(), ValueFlow::Value::intvalue, Variable::isArgument(), Token::isCast(), Variable::isPointer(), Variable::isReference(), Settings::library, Check::logChecker(), Token::Match(), Check::mSettings, Check::mTokenizer, Token::next(), normal, ValueType::pointer, Token::simpleMatch(), Token::valueType(), and Token::variable().

Referenced by runChecks().

◆ bufferOverflowError()

void CheckBufferOverrun::bufferOverflowError ( const Token tok,
const ValueFlow::Value value,
Certainty  certainty 
)
private

Definition at line 690 of file checkbufferoverrun.cpp.

References CWE_BUFFER_OVERRUN, error, Token::expressionString(), Check::getErrorPath(), and Check::reportError().

Referenced by bufferOverflow(), and getErrorMessages().

◆ classInfo()

std::string CheckBufferOverrun::classInfo ( ) const
inlineoverrideprivatevirtual

get information about this class, used to generate documentation

Implements Check.

Definition at line 145 of file checkbufferoverrun.h.

◆ getBufferSize()

ValueFlow::Value CheckBufferOverrun::getBufferSize ( const Token bufTok) const
private

Definition at line 551 of file checkbufferoverrun.cpp.

References ValueFlow::Value::BUFFER_SIZE, Variable::dimensions(), getBufferSizeValue(), ValueFlow::Value::intvalue, Variable::isPointer(), Variable::isPointerArray(), Check::mSettings, Settings::platform, ValueFlow::Value::setKnown(), Platform::sizeof_pointer, ValueType::typeSize(), Token::valueType(), ValueFlow::Value::valueType, and Token::variable().

Referenced by bufferOverflow(), and stringNotZeroTerminated().

◆ getErrorMessages()

void CheckBufferOverrun::getErrorMessages ( ErrorLogger errorLogger,
const Settings settings 
) const
inlineoverrideprivatevirtual

get error messages

Implements Check.

Definition at line 81 of file checkbufferoverrun.h.

References argumentSizeError(), arrayIndexError(), arrayIndexThenCheckError(), bufferOverflowError(), negativeArraySizeError(), negativeIndexError(), negativeMemoryAllocationSizeError(), normal, objectIndexError(), and pointerArithmeticError().

◆ getFileInfo()

Check::FileInfo * CheckBufferOverrun::getFileInfo ( const Tokenizer tokenizer,
const Settings settings 
) const
overrideprivatevirtual

Parse current TU and extract file info.

Reimplemented from Check.

Definition at line 950 of file checkbufferoverrun.cpp.

References CTU::getUnsafeUsage(), isCtuUnsafeArrayIndex(), and isCtuUnsafePointerArith().

◆ isCtuUnsafeArrayIndex()

bool CheckBufferOverrun::isCtuUnsafeArrayIndex ( const Settings settings,
const Token argtok,
MathLib::bigint offset 
)
staticprivate

Definition at line 939 of file checkbufferoverrun.cpp.

References isCtuUnsafeBufferUsage().

Referenced by getFileInfo().

◆ isCtuUnsafeBufferUsage()

bool CheckBufferOverrun::isCtuUnsafeBufferUsage ( const Settings settings,
const Token argtok,
MathLib::bigint offset,
int  type 
)
staticprivate

Definition at line 918 of file checkbufferoverrun.cpp.

References Token::astOperand2(), Token::astParent(), Token::getKnownIntValue(), Token::hasKnownIntValue(), Token::linkAt(), Token::Match(), Token::next(), Settings::platform, Token::simpleMatch(), ValueType::typeSize(), and Token::valueType().

Referenced by isCtuUnsafeArrayIndex(), and isCtuUnsafePointerArith().

◆ isCtuUnsafePointerArith()

bool CheckBufferOverrun::isCtuUnsafePointerArith ( const Settings settings,
const Token argtok,
MathLib::bigint offset 
)
staticprivate

Definition at line 944 of file checkbufferoverrun.cpp.

References isCtuUnsafeBufferUsage().

Referenced by getFileInfo().

◆ loadFileInfoFromXml()

Check::FileInfo * CheckBufferOverrun::loadFileInfoFromXml ( const tinyxml2::XMLElement *  xmlElement) const
overrideprivatevirtual

Reimplemented from Check.

Definition at line 963 of file checkbufferoverrun.cpp.

References arrayIndex(), and CTU::loadUnsafeUsageListFromXml().

◆ myName()

static std::string CheckBufferOverrun::myName ( )
inlinestaticprivate

Definition at line 141 of file checkbufferoverrun.h.

◆ negativeArraySize()

void CheckBufferOverrun::negativeArraySize ( )
private

Definition at line 1164 of file checkbufferoverrun.cpp.

References Token::astOperand1(), Token::astOperand2(), Scope::bodyEnd, Scope::bodyStart, SymbolDatabase::functionScopes, Tokenizer::getSymbolDatabase(), Token::getValueLE(), isVLAIndex(), Check::logChecker(), Token::Match(), Check::mSettings, Check::mTokenizer, negativeArraySizeError(), negativeMemoryAllocationSizeError(), Token::next(), and SymbolDatabase::variableList().

Referenced by runChecks().

◆ negativeArraySizeError()

void CheckBufferOverrun::negativeArraySizeError ( const Token tok)
private

Definition at line 1194 of file checkbufferoverrun.cpp.

References CWE758, error, Token::expressionString(), normal, and Check::reportError().

Referenced by getErrorMessages(), and negativeArraySize().

◆ negativeIndexError()

void CheckBufferOverrun::negativeIndexError ( const Token tok,
const std::vector< Dimension > &  dimensions,
const std::vector< ValueFlow::Value > &  indexes 
)
private

Definition at line 433 of file checkbufferoverrun.cpp.

References arrayIndexMessage(), CWE_BUFFER_UNDERRUN, error, ValueFlow::Value::errorPath, ValueFlow::Value::errorSeverity(), Check::getErrorPath(), inconclusive, SimpleEnableGroup< T >::isEnabled(), ValueFlow::Value::isInconclusive(), Check::mSettings, normal, Check::reportError(), Settings::severity, and warning.

Referenced by arrayIndex(), and getErrorMessages().

◆ negativeMemoryAllocationSizeError()

void CheckBufferOverrun::negativeMemoryAllocationSizeError ( const Token tok,
const ValueFlow::Value value 
)
private

Definition at line 1203 of file checkbufferoverrun.cpp.

References CWE131, error, Check::getErrorPath(), inconclusive, ValueFlow::Value::isKnown(), normal, Check::reportError(), and warning.

Referenced by getErrorMessages(), and negativeArraySize().

◆ objectIndex()

void CheckBufferOverrun::objectIndex ( )
private

Definition at line 1053 of file checkbufferoverrun.cpp.

References ValueFlow::Value::Address, Token::astOperand1(), Token::astOperand2(), Scope::bodyEnd, Scope::bodyStart, SymbolDatabase::functionScopes, Token::getKnownIntValue(), ValueFlow::getLifetimeObjValues(), Tokenizer::getSymbolDatabase(), Token::hasKnownIntValue(), Variable::isArray(), Token::isCast(), Token::isCpp(), isCPPCast(), ValueFlow::isOutOfBounds(), Variable::isPointer(), Variable::isReference(), Variable::isRValueReference(), Check::logChecker(), makeSizeValue(), Check::mSettings, Check::mTokenizer, Token::next(), objectIndexError(), Settings::platform, ValueType::pointer, Token::simpleMatch(), ValueType::type, ValueType::typeSize(), Token::values(), Variable::valueType(), and Token::valueType().

Referenced by runChecks().

◆ objectIndexError()

void CheckBufferOverrun::objectIndexError ( const Token tok,
const ValueFlow::Value v,
bool  known 
)
private

Definition at line 1127 of file checkbufferoverrun.cpp.

References Token::astParent(), CWE758, error, ValueFlow::Value::errorPath, Token::expressionString(), Check::name(), normal, Check::reportError(), Token::simpleMatch(), ValueFlow::Value::tokvalue, and warning.

Referenced by getErrorMessages(), and objectIndex().

◆ pointerArithmetic()

void CheckBufferOverrun::pointerArithmetic ( )
private

Definition at line 463 of file checkbufferoverrun.cpp.

References Token::astOperand1(), Token::astOperand2(), getDimensionsEtc(), getOverrunIndexValues(), Token::getValueGE(), Token::getValueLE(), SimpleEnableGroup< T >::isEnabled(), ValueType::isIntegral(), Settings::isPremiumEnabled(), Check::logChecker(), Token::Match(), Check::mSettings, Check::mTokenizer, Token::next(), ValueType::pointer, pointerArithmeticError(), portability, Settings::severity, Tokenizer::tokens(), Token::valueType(), and Token::variable().

Referenced by runChecks().

◆ pointerArithmeticError()

void CheckBufferOverrun::pointerArithmeticError ( const Token tok,
const Token indexToken,
const ValueFlow::Value indexValue 
)
private

Definition at line 527 of file checkbufferoverrun.cpp.

References ValueFlow::Value::condition, CWE_POINTER_ARITHMETIC_OVERFLOW, Token::expressionString(), Check::getErrorPath(), inconclusive, ValueFlow::Value::intvalue, ValueFlow::Value::isInconclusive(), normal, portability, and Check::reportError().

Referenced by getErrorMessages(), and pointerArithmetic().

◆ runChecks()

void CheckBufferOverrun::runChecks ( const Tokenizer ,
ErrorLogger  
)
inlineoverrideprivatevirtual

run checks, the token list is not simplified

Implements Check.

Definition at line 69 of file checkbufferoverrun.h.

References argumentSize(), arrayIndex(), arrayIndexThenCheck(), bufferOverflow(), Tokenizer::getSettings(), negativeArraySize(), objectIndex(), pointerArithmetic(), and stringNotZeroTerminated().

◆ stringNotZeroTerminated()

void CheckBufferOverrun::stringNotZeroTerminated ( )
private

Definition at line 754 of file checkbufferoverrun.cpp.

References Token::astOperand2(), Scope::bodyEnd, Scope::bodyStart, Settings::certainty, SymbolDatabase::functionScopes, getArguments(), getBufferSize(), Token::getKnownIntValue(), Token::getStrLength(), Tokenizer::getSymbolDatabase(), Token::getValueTokenMaxStrLength(), Token::hasKnownIntValue(), inconclusive, ValueFlow::Value::intvalue, SimpleEnableGroup< T >::isEnabled(), isSameExpression(), Token::link(), Check::logChecker(), Check::mSettings, Check::mTokenizer, Token::next(), Settings::severity, Token::simpleMatch(), terminateStrncpyError(), and warning.

Referenced by runChecks().

◆ terminateStrncpyError()

void CheckBufferOverrun::terminateStrncpyError ( const Token tok,
const std::string &  varname 
)
private

Definition at line 807 of file checkbufferoverrun.cpp.

References CWE170, inconclusive, Check::reportError(), and warning.

Referenced by stringNotZeroTerminated().

The documentation for this class was generated from the following files:
Generated on Tue May 14 2024 11:53:17 for Cppcheck by doxygen 1.9.1