[PATCH] [static analyzer] Emit buffer overflow warning in strcpy fucntion when uninitialized source array of known length(> dest length) is used
Mayur Pandey
mayur.p at samsung.com
Tue Nov 4 03:08:13 PST 2014
Hi Arthur,
Sorry for not updating the patch last time. I was waiting for your comments before updating it. Updated the patch now.
And for this case:
char x[3] = "abc";
char y[100];
strcpy(y, x);
I had mentioned that this does not seem to be buffer-overflow, as when i checked the same with clang, strcpy is inserting a null terminator after copying the contents of source array.
$ cat strcpy.c
#include<string.h>
#include<stdio.h>
int main ()
{
char x[3]; // non-null terminated array
x[0] = 'a';
x[1] = 'b';
x[2] = 'c';
char y[100] ;
memset(y,'a',100);
strcpy(y,x);
printf("%s \n",y);
printf("%c\n",y[0]);
printf("%c\n",y[1]);
printf("%c\n",y[2]);
printf("%c\n",y[3]);
printf("%c\n",y[4]);
return 0;
}
$ clang strcpy.c
$ ./a.out
abc
a
b
c
a
In this example it is seen that clang is inserting null terminator and hence even while copying non-null terminated string to another array, buffer-overflow is not caused.
Please provide comments on whether this analysis is correct or not.
Thanks,
Mayur
http://reviews.llvm.org/D6012
Files:
lib/StaticAnalyzer/Checkers/CStringChecker.cpp
test/Analysis/string.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D6012.15755.patch
Type: text/x-patch
Size: 3114 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20141104/c94991e6/attachment.bin>
More information about the cfe-commits
mailing list