Fix #901 Improve out-of-bounds check to detect error with sprintf() (#8473)

chrchr-github · web-flow · web-flow · commit 93052167fdc0 · 2026-04-30T09:52:46.000+02:00
Co-authored-by: chrchr-github &lt;noreply@github.com&gt;
diff --git a/Makefile b/Makefile
@@ -515,7 +515,7 @@ $(libcppdir)/checkautovariables.o: lib/checkautovariables.cpp lib/addoninfo.h li
 $(libcppdir)/checkbool.o: lib/checkbool.cpp lib/addoninfo.h lib/astutils.h lib/check.h lib/checkbool.h lib/checkers.h lib/config.h lib/errortypes.h lib/library.h lib/mathlib.h lib/platform.h lib/regex.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/vfvalue.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkbool.cpp
 
-$(libcppdir)/checkbufferoverrun.o: lib/checkbufferoverrun.cpp externals/tinyxml2/tinyxml2.h lib/addoninfo.h lib/astutils.h lib/check.h lib/checkbufferoverrun.h lib/checkers.h lib/config.h lib/ctu.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/regex.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/valueflow.h lib/vfvalue.h lib/xml.h
+$(libcppdir)/checkbufferoverrun.o: lib/checkbufferoverrun.cpp externals/tinyxml2/tinyxml2.h lib/addoninfo.h lib/astutils.h lib/check.h lib/checkbufferoverrun.h lib/checkers.h lib/config.h lib/ctu.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/regex.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/valueflow.h lib/vf_common.h lib/vfvalue.h lib/xml.h
 	$(CXX) ${INCLUDE_FOR_LIB} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkbufferoverrun.cpp
 
 $(libcppdir)/checkclass.o: lib/checkclass.cpp externals/tinyxml2/tinyxml2.h lib/addoninfo.h lib/astutils.h lib/check.h lib/checkclass.h lib/checkers.h lib/config.h lib/errorlogger.h lib/errortypes.h lib/library.h lib/mathlib.h lib/path.h lib/platform.h lib/regex.h lib/settings.h lib/smallvector.h lib/sourcelocation.h lib/standards.h lib/symboldatabase.h lib/templatesimplifier.h lib/token.h lib/tokenize.h lib/tokenlist.h lib/utils.h lib/vfvalue.h lib/xml.h
diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
@@ -36,6 +36,7 @@
 #include "utils.h"
 #include "valueflow.h"
 #include "vfvalue.h"
+#include "vf_common.h"
 
 #include <algorithm>
 #include <cstdlib>
@@ -83,7 +84,7 @@ static const Token* getRealBufferTok(const Token* tok) {
     return (op->valueType() && op->valueType()->pointer) ? op : tok;
 }
 
-static int getMinFormatStringOutputLength(const std::vector<const Token*> &parameters, nonneg int formatStringArgNr)
+static int getMinFormatStringOutputLength(const std::vector<const Token*> &parameters, nonneg int formatStringArgNr, const Settings& settings)
 {
     if (formatStringArgNr <= 0 || formatStringArgNr > parameters.size())
         return 0;
@@ -138,8 +139,8 @@ static int getMinFormatStringOutputLength(const std::vector<const Token*> &param
                 break;
             case 's':
                 parameterLength = 0;
-                if (inputArgNr < parameters.size() && parameters[inputArgNr]->tokType() == Token::eString)
-                    parameterLength = Token::getStrLength(parameters[inputArgNr]);
+                if (inputArgNr < parameters.size())
+                    parameterLength = ValueFlow::valueFlowGetStrLength(parameters[inputArgNr], settings);
 
                 handleNextParameter = true;
                 break;
@@ -602,7 +603,7 @@ static bool checkBufferSize(const Token *ftok, const Library::ArgumentChecks::Mi
     switch (minsize.type) {
     case Library::ArgumentChecks::MinSize::Type::STRLEN:
         if (settings.library.isargformatstr(ftok, minsize.arg)) {
-            return getMinFormatStringOutputLength(args, minsize.arg) < bufferSize;
+            return getMinFormatStringOutputLength(args, minsize.arg, settings) < bufferSize;
         } else if (arg) {
             const Token *strtoken = arg->getValueTokenMaxStrLength();
             if (strtoken)
diff --git a/lib/valueflow.cpp b/lib/valueflow.cpp
@@ -6801,17 +6801,17 @@ static void valueFlowContainerSize(const TokenList& tokenlist,
             } else if (tok->str() == "+=" && astIsContainer(tok->astOperand1())) {
                 const Token* containerTok = tok->astOperand1();
                 const Token* valueTok = tok->astOperand2();
-                const MathLib::bigint size = ValueFlow::valueFlowGetStrLength(valueTok);
+                const MathLib::bigint size = ValueFlow::valueFlowGetStrLength(valueTok, settings);
                 forwardMinimumContainerSize(size, tok, containerTok);
 
             } else if (tok->str() == "=" && Token::simpleMatch(tok->astOperand2(), "+") && astIsContainerString(tok)) {
                 const Token* tok2 = tok->astOperand2();
                 MathLib::bigint size = 0;
                 while (Token::simpleMatch(tok2, "+") && tok2->astOperand2()) {
-                    size += ValueFlow::valueFlowGetStrLength(tok2->astOperand2());
+                    size += ValueFlow::valueFlowGetStrLength(tok2->astOperand2(), settings);
                     tok2 = tok2->astOperand1();
                 }
-                size += ValueFlow::valueFlowGetStrLength(tok2);
+                size += ValueFlow::valueFlowGetStrLength(tok2, settings);
                 forwardMinimumContainerSize(size, tok, tok->astOperand1());
             }
         }
diff --git a/lib/vf_analyzers.cpp b/lib/vf_analyzers.cpp
@@ -1547,7 +1547,7 @@ struct ContainerExpressionAnalyzer : ExpressionAnalyzer {
             case Library::Container::Action::APPEND: {
                 std::vector<const Token*> args = getArguments(tok->astParent()->tokAt(2));
                 if (args.size() == 1) // TODO: handle overloads
-                    n = ValueFlow::valueFlowGetStrLength(tok->astParent()->tokAt(3));
+                    n = ValueFlow::valueFlowGetStrLength(tok->astParent()->tokAt(3), settings);
                 if (n == 0) // TODO: handle known empty append
                     val->setPossible();
                 break;
diff --git a/lib/vf_common.cpp b/lib/vf_common.cpp
@@ -389,7 +389,7 @@ namespace ValueFlow
         v.debugPath.emplace_back(tok, std::move(s));
     }
 
-    MathLib::bigint valueFlowGetStrLength(const Token* tok)
+    MathLib::bigint valueFlowGetStrLength(const Token* tok, const Settings& settings)
     {
         if (tok->tokType() == Token::eString)
             return Token::getStrLength(tok);
@@ -399,8 +399,10 @@ namespace ValueFlow
             return v->intvalue;
         if (const Value* v = tok->getKnownValue(Value::ValueType::TOK)) {
             if (v->tokvalue != tok)
-                return valueFlowGetStrLength(v->tokvalue);
+                return valueFlowGetStrLength(v->tokvalue, settings);
         }
+        if (const Token* cont = settings.library.getContainerFromYield(tok, Library::Container::Yield::BUFFER_NT))
+            return valueFlowGetStrLength(cont, settings);
         return 0;
     }
 }
diff --git a/lib/vf_common.h b/lib/vf_common.h
@@ -53,7 +53,7 @@ namespace ValueFlow
                            const Token* tok,
                            SourceLocation local = SourceLocation::current());
 
-    MathLib::bigint valueFlowGetStrLength(const Token* tok);
+    MathLib::bigint valueFlowGetStrLength(const Token* tok, const Settings& settings);
 }
 
 #endif // vfCommonH
diff --git a/oss-fuzz/Makefile b/oss-fuzz/Makefile
@@ -185,7 +185,7 @@ $(libcppdir)/checkautovariables.o: ../lib/checkautovariables.cpp ../lib/addoninf
 $(libcppdir)/checkbool.o: ../lib/checkbool.cpp ../lib/addoninfo.h ../lib/astutils.h ../lib/check.h ../lib/checkbool.h ../lib/checkers.h ../lib/config.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/platform.h ../lib/regex.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/vfvalue.h
 	$(CXX) ${LIB_FUZZING_ENGINE} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkbool.cpp
 
-$(libcppdir)/checkbufferoverrun.o: ../lib/checkbufferoverrun.cpp ../externals/tinyxml2/tinyxml2.h ../lib/addoninfo.h ../lib/astutils.h ../lib/check.h ../lib/checkbufferoverrun.h ../lib/checkers.h ../lib/config.h ../lib/ctu.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/regex.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/valueflow.h ../lib/vfvalue.h ../lib/xml.h
+$(libcppdir)/checkbufferoverrun.o: ../lib/checkbufferoverrun.cpp ../externals/tinyxml2/tinyxml2.h ../lib/addoninfo.h ../lib/astutils.h ../lib/check.h ../lib/checkbufferoverrun.h ../lib/checkers.h ../lib/config.h ../lib/ctu.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/regex.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/valueflow.h ../lib/vf_common.h ../lib/vfvalue.h ../lib/xml.h
 	$(CXX) ${LIB_FUZZING_ENGINE} $(CPPFLAGS) $(CXXFLAGS) -c -o $@ $(libcppdir)/checkbufferoverrun.cpp
 
 $(libcppdir)/checkclass.o: ../lib/checkclass.cpp ../externals/tinyxml2/tinyxml2.h ../lib/addoninfo.h ../lib/astutils.h ../lib/check.h ../lib/checkclass.h ../lib/checkers.h ../lib/config.h ../lib/errorlogger.h ../lib/errortypes.h ../lib/library.h ../lib/mathlib.h ../lib/path.h ../lib/platform.h ../lib/regex.h ../lib/settings.h ../lib/smallvector.h ../lib/sourcelocation.h ../lib/standards.h ../lib/symboldatabase.h ../lib/templatesimplifier.h ../lib/token.h ../lib/tokenize.h ../lib/tokenlist.h ../lib/utils.h ../lib/vfvalue.h ../lib/xml.h
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
@@ -4620,6 +4620,41 @@ class TestBufferOverrun : public TestFixture {
               "  mysprintf(a, \"abcd\");\n"
               "}", settings);
         ASSERT_EQUALS("", errout_str());
+
+        check("void f() {\n" // #901
+              "    const char b[] = \"b\";\n"
+              "    char a[1];\n"
+              "    sprintf(a, \"%s\", b);\n"
+              "}\n"
+              "void g() {\n"
+              "    const char* b = \"b\";\n"
+              "    char a[1];\n"
+              "    sprintf(a, \"%s\", b);\n"
+              "}\n"
+              "void h() {\n"
+              "    const std::string b = \"b\";\n"
+              "    char a[1];\n"
+              "    sprintf(a, \"%s\", b.c_str());\n"
+              "}\n"
+              "void i() {\n"
+              "    const char b[] = \"b\";\n"
+              "    char a[2];\n"
+              "    sprintf(a, \"%s\", b);\n"
+              "}\n"
+              "void j() {\n"
+              "    const char* b = \"b\";\n"
+              "    char a[2];\n"
+              "    sprintf(a, \"%s\", b);\n"
+              "}\n"
+              "void k() {\n"
+              "    const std::string b = \"b\";\n"
+              "    char a[2];\n"
+              "    sprintf(a, \"%s\", b.c_str());\n"
+              "}\n", settings0);
+        ASSERT_EQUALS("[test.cpp:4:13]: (error) Buffer is accessed out of bounds: a [bufferAccessOutOfBounds]\n"
+                      "[test.cpp:9:13]: (error) Buffer is accessed out of bounds: a [bufferAccessOutOfBounds]\n"
+                      "[test.cpp:14:13]: (error) Buffer is accessed out of bounds: a [bufferAccessOutOfBounds]\n",
+                      errout_str());
     }
 
     void minsize_mul() {

Original file line number	Diff line number	Diff line change
`@@ -389,7 +389,7 @@ namespace ValueFlow`
`389`	`389`	`v.debugPath.emplace_back(tok, std::move(s));`
`390`	`390`	`}`
`391`	`391`
`392`		`- MathLib::bigint valueFlowGetStrLength(const Token* tok)`
	`392`	`+ MathLib::bigint valueFlowGetStrLength(const Token* tok, const Settings& settings)`
`393`	`393`	`{`
`394`	`394`	`if (tok->tokType() == Token::eString)`
`395`	`395`	`return Token::getStrLength(tok);`
`@@ -399,8 +399,10 @@ namespace ValueFlow`
`399`	`399`	`return v->intvalue;`
`400`	`400`	`if (const Value* v = tok->getKnownValue(Value::ValueType::TOK)) {`
`401`	`401`	`if (v->tokvalue != tok)`
`402`		`- return valueFlowGetStrLength(v->tokvalue);`
	`402`	`+ return valueFlowGetStrLength(v->tokvalue, settings);`
`403`	`403`	`}`
	`404`	`+ if (const Token* cont = settings.library.getContainerFromYield(tok, Library::Container::Yield::BUFFER_NT))`
	`405`	`+ return valueFlowGetStrLength(cont, settings);`
`404`	`406`	`return 0;`
`405`	`407`	`}`
`406`	`408`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ namespace ValueFlow`
`53`	`53`	`const Token* tok,`
`54`	`54`	`SourceLocation local = SourceLocation::current());`
`55`	`55`
`56`		`- MathLib::bigint valueFlowGetStrLength(const Token* tok);`
	`56`	`+ MathLib::bigint valueFlowGetStrLength(const Token* tok, const Settings& settings);`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`#endif // vfCommonH`