Fix #7570: Support address-of operator on variables in getBufferSize() (#7767)

flovent · web-flow · commit ec232da1404a · 2025-09-27T14:38:27.000+02:00
Detect address-of token in `getBufferSize()` and get the underlying
variable's corresponding buffer size.

`stringNotZeroTerminated()` also calls `getBuffersize()`, so it will
also benefit.
diff --git a/lib/checkbufferoverrun.cpp b/lib/checkbufferoverrun.cpp
@@ -75,6 +75,14 @@ static const ValueFlow::Value *getBufferSizeValue(const Token *tok)
     return it == tokenValues.cend() ? nullptr : &*it;
 }
 
+static const Token* getRealBufferTok(const Token* tok) {
+    if (!tok->isUnaryOp("&"))
+        return tok;
+
+    const Token* op = tok->astOperand1();
+    return (op->valueType() && op->valueType()->pointer) ? op : tok;
+}
+
 static int getMinFormatStringOutputLength(const std::vector<const Token*> &parameters, nonneg int formatStringArgNr)
 {
     if (formatStringArgNr <= 0 || formatStringArgNr > parameters.size())
@@ -553,6 +561,8 @@ ValueFlow::Value CheckBufferOverrun::getBufferSize(const Token *bufTok) const
 {
     if (!bufTok->valueType())
         return ValueFlow::Value(-1);
+    if (bufTok->isUnaryOp("&"))
+        bufTok = bufTok->astOperand1();
     const Variable *var = bufTok->variable();
 
     if (!var || var->dimensions().empty()) {
@@ -653,7 +663,7 @@ void CheckBufferOverrun::bufferOverflow()
                     argtok = argtok->astOperand2() ? argtok->astOperand2() : argtok->astOperand1();
                 while (Token::Match(argtok, ".|::"))
                     argtok = argtok->astOperand2();
-                if (!argtok || !argtok->variable())
+                if (!argtok)
                     continue;
                 if (argtok->valueType() && argtok->valueType()->pointer == 0)
                     continue;
@@ -688,7 +698,7 @@ void CheckBufferOverrun::bufferOverflow()
 
 void CheckBufferOverrun::bufferOverflowError(const Token *tok, const ValueFlow::Value *value, Certainty certainty)
 {
-    reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? tok->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);
+    reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? getRealBufferTok(tok)->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);
 }
 
 //---------------------------------------------------------------------------
@@ -798,7 +808,7 @@ void CheckBufferOverrun::stringNotZeroTerminated()
             if (isZeroTerminated)
                 continue;
             // TODO: Locate unsafe string usage..
-            terminateStrncpyError(tok, args[0]->expressionString());
+            terminateStrncpyError(tok, getRealBufferTok(args[0])->expressionString());
         }
     }
 }
diff --git a/test/testbufferoverrun.cpp b/test/testbufferoverrun.cpp
@@ -232,6 +232,7 @@ class TestBufferOverrun : public TestFixture {
         TEST_CASE(buffer_overrun_function_array_argument);
         TEST_CASE(possible_buffer_overrun_1); // #3035
         TEST_CASE(buffer_overrun_readSizeFromCfg);
+        TEST_CASE(buffer_overrun_handle_addr_of_var); // ticket #7570 - correctly handle &var
 
         TEST_CASE(valueflow_string); // using ValueFlow string values in checking
 
@@ -271,6 +272,7 @@ class TestBufferOverrun : public TestFixture {
         TEST_CASE(terminateStrncpy3);
         TEST_CASE(terminateStrncpy4);
         TEST_CASE(terminateStrncpy5); // #9944
+        TEST_CASE(terminateStrncpy_handle_addr_of_var); // #7570
         TEST_CASE(recursive_long_time);
 
         TEST_CASE(crash1);  // Ticket #1587 - crash
@@ -3724,6 +3726,38 @@ class TestBufferOverrun : public TestFixture {
         ASSERT_EQUALS("[test.cpp:3:16]: (error) Buffer is accessed out of bounds: ms.str [bufferAccessOutOfBounds]\n", errout_str());
     }
 
+    void buffer_overrun_handle_addr_of_var() { // #7570
+        check("void f() {\n"
+              "  int i;\n"
+              "  memset(i, 0, 1000);\n"
+              "}");
+        ASSERT_EQUALS("", errout_str());
+
+        check("void f() {\n"
+              "  int i;\n"
+              "  memset(&i, 0, 1000);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3:10]: (error) Buffer is accessed out of bounds: &i [bufferAccessOutOfBounds]\n", errout_str());
+
+        check("void f() {\n"
+              "  int i[2];\n"
+              "  memset(&i, 0, 1000);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3:10]: (error) Buffer is accessed out of bounds: i [bufferAccessOutOfBounds]\n", errout_str());
+
+        check("void f() {\n"
+              "  int i;\n"
+              "  memset(&i, 0, sizeof(i));\n"
+              "}");
+        ASSERT_EQUALS("", errout_str());
+
+        check("void f() {\n"
+              "  int i[10];\n"
+              "  memset(&i[1], 0, 1000);\n"
+              "}");
+        TODO_ASSERT_EQUALS("[test.cpp:3:10]: (error) Buffer is accessed out of bounds: &i[1] [bufferAccessOutOfBounds]\n", "", errout_str());
+    }
+
     void valueflow_string() { // using ValueFlow string values in checking
         check("char f() {\n"
               "  const char *x = s;\n"
@@ -4321,7 +4355,7 @@ class TestBufferOverrun : public TestFixture {
               "  char c;\n"
               "  mymemset(&c, 0, 4);\n"
               "}", dinit(CheckOptions, $.s = &settings));
-        TODO_ASSERT_EQUALS("[test.cpp:3:14]: (error) Buffer is accessed out of bounds: c [bufferAccessOutOfBounds]\n", "", errout_str());
+        ASSERT_EQUALS("[test.cpp:3:12]: (error) Buffer is accessed out of bounds: &c [bufferAccessOutOfBounds]\n", errout_str());
 
         // ticket #2121 - buffer access out of bounds when using uint32_t
         check("void f(void) {\n"
@@ -4685,6 +4719,20 @@ class TestBufferOverrun : public TestFixture {
     }
     // extracttests.enable
 
+    void terminateStrncpy_handle_addr_of_var() { // #7570
+        check("void foo() {\n"
+              "  char c[6];\n"
+              "  strncpy(&c, \"hello!\", 6);\n"
+              "}");
+        ASSERT_EQUALS("[test.cpp:3:3]: (warning, inconclusive) The buffer 'c' may not be null-terminated after the call to strncpy(). [terminateStrncpy]\n", errout_str());
+
+        check("void foo() {\n"
+              "  char c[6];\n"
+              "  strncpy(&c, \"hello\\0\", 6);\n"
+              "}");
+        ASSERT_EQUALS("", errout_str());
+    }
+
     void recursive_long_time() {
         // Just test that recursive check doesn't take long time
         check("char *f2 ( char *b )\n"

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,14 @@ static const ValueFlow::Value getBufferSizeValue(const Token tok)`
`75`	`75`	`return it == tokenValues.cend() ? nullptr : &*it;`
`76`	`76`	`}`
`77`	`77`
	`78`	`+static const Token* getRealBufferTok(const Token* tok) {`
	`79`	`+ if (!tok->isUnaryOp("&"))`
	`80`	`+ return tok;`
	`81`	`+`
	`82`	`+ const Token* op = tok->astOperand1();`
	`83`	`+ return (op->valueType() && op->valueType()->pointer) ? op : tok;`
	`84`	`+}`
	`85`	`+`
`78`	`86`	`static int getMinFormatStringOutputLength(const std::vector<const Token*> &parameters, nonneg int formatStringArgNr)`
`79`	`87`	`{`
`80`	`88`	`if (formatStringArgNr <= 0 \|\| formatStringArgNr > parameters.size())`
`@@ -553,6 +561,8 @@ ValueFlow::Value CheckBufferOverrun::getBufferSize(const Token *bufTok) const`
`553`	`561`	`{`
`554`	`562`	`if (!bufTok->valueType())`
`555`	`563`	`return ValueFlow::Value(-1);`
	`564`	`+ if (bufTok->isUnaryOp("&"))`
	`565`	`+ bufTok = bufTok->astOperand1();`
`556`	`566`	`const Variable *var = bufTok->variable();`
`557`	`567`
`558`	`568`	`if (!var \|\| var->dimensions().empty()) {`
`@@ -653,7 +663,7 @@ void CheckBufferOverrun::bufferOverflow()`
`653`	`663`	`argtok = argtok->astOperand2() ? argtok->astOperand2() : argtok->astOperand1();`
`654`	`664`	`while (Token::Match(argtok, ".\|::"))`
`655`	`665`	`argtok = argtok->astOperand2();`
`656`		`- if (!argtok \|\| !argtok->variable())`
	`666`	`+ if (!argtok)`
`657`	`667`	`continue;`
`658`	`668`	`if (argtok->valueType() && argtok->valueType()->pointer == 0)`
`659`	`669`	`continue;`
`@@ -688,7 +698,7 @@ void CheckBufferOverrun::bufferOverflow()`
`688`	`698`
`689`	`699`	`void CheckBufferOverrun::bufferOverflowError(const Token tok, const ValueFlow::Value value, Certainty certainty)`
`690`	`700`	`{`
`691`		`- reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? tok->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);`
	`701`	`+ reportError(getErrorPath(tok, value, "Buffer overrun"), Severity::error, "bufferAccessOutOfBounds", "Buffer is accessed out of bounds: " + (tok ? getRealBufferTok(tok)->expressionString() : "buf"), CWE_BUFFER_OVERRUN, certainty);`
`692`	`702`	`}`
`693`	`703`
`694`	`704`	`//---------------------------------------------------------------------------`
`@@ -798,7 +808,7 @@ void CheckBufferOverrun::stringNotZeroTerminated()`
`798`	`808`	`if (isZeroTerminated)`
`799`	`809`	`continue;`
`800`	`810`	`// TODO: Locate unsafe string usage..`
`801`		`- terminateStrncpyError(tok, args[0]->expressionString());`
	`811`	`+ terminateStrncpyError(tok, getRealBufferTok(args[0])->expressionString());`
`802`	`812`	`}`
`803`	`813`	`}`
`804`	`814`	`}`