Powered by Linux
buffer overflow check bug — Semantic Matching Tool

buffer overflow check bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

I found another bug. smatch buffer overflow check seems buggy.

<how to reproduce>
% make CC="$HOME/local/smatch/bin/cgcc -m64  -no-compile " CHECK="$HOME/local/smatch/bin/smatch --two-passes --full-path -spammy"   buffer_overflow

<expect result>
no warn

<actual result>
buffer_overflow.c:29 ng() error: buffer overflow 'table' 2 <= 2



buffer_overflow.c
--------------------------------
double
ok(int base)
{
    static const double table[] = {
	2.0, 4.0
    };
    base -= 1;
    if (base < 0) {
	    exit(1);
    }
    if (base > 1) {
	    exit(1);
    }
    return table[base];
}

double
ng(int base)
{
    static const double table[] = {
	2.0, 4.0
    };
    if (base < 1) {
	    exit(1);
    }
    if (base > 2) {
	    exit(1);
    }
    return table[base -1];
}

--
To unsubscribe from this list: send the line "unsubscribe smatch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux