[analyzer] CStringSyntaxChecks: Fix an off-by-one error in the strlcat() check.

haoNoQ · haoNoQ · commit 7bb2d469feb8 · 2019-02-11T12:07:50.000-08:00
oth strlcat and strlcpy cut off their safe bound for the argument value at sizeof(destination). There's no need to subtract 1 in only one of these cases. Differential Revision: https://reviews.llvm.org/D57981 rdar://problem/47873212 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@353583 91177308-0d34-0410-b5e6-96231b3b80d8 (cherry picked from commit 5bcf852d505e6e3d6d965f18c5fcd72ff5ef5a06) apple-llvm-split-commit: 72dde1b133bbb481209f091451762835c8d0e849 apple-llvm-split-dir: clang/
diff --git a/clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp
@@ -154,8 +154,6 @@ bool WalkAST::containsBadStrncatPattern(const CallExpr *CE) {
 bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
   if (CE->getNumArgs() != 3)
     return false;
-  const FunctionDecl *FD = CE->getDirectCallee();
-  bool Append = CheckerContext::isCLibraryFunction(FD, "strlcat");
   const Expr *DstArg = CE->getArg(0);
   const Expr *LenArg = CE->getArg(2);
 
@@ -195,13 +193,8 @@ bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
         ASTContext &C = BR.getContext();
         uint64_t BufferLen = C.getTypeSize(Buffer) / 8;
         auto RemainingBufferLen = BufferLen - DstOff;
-        if (Append) {
-          if (RemainingBufferLen <= ILRawVal)
-            return true;
-        } else {
-          if (RemainingBufferLen < ILRawVal)
-            return true;
-        }
+        if (RemainingBufferLen < ILRawVal)
+          return true;
       }
     }
   }
diff --git a/clang/test/Analysis/cstring-syntax.c b/clang/test/Analysis/cstring-syntax.c
@@ -33,6 +33,7 @@ void testStrlcpy(const char *src) {
   strlcpy(dest, src, ulen);
   strlcpy(dest + 5, src, 5);
   strlcpy(dest + 5, src, 10); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
+  strlcpy(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
 }
 
 void testStrlcat(const char *src) {
@@ -51,4 +52,5 @@ void testStrlcat(const char *src) {
   strlcat(dest, src, ulen);
   strlcpy(dest, src, 5);
   strlcat(dest + 5, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}
+  strlcat(dest, "aaaaaaaaaaaaaaa", 10); // no-warning
 }

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ void testStrlcpy(const char *src) {`
`33`	`33`	`strlcpy(dest, src, ulen);`
`34`	`34`	`strlcpy(dest + 5, src, 5);`
`35`	`35`	`strlcpy(dest + 5, src, 10); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}`
	`36`	`+ strlcpy(dest, "aaaaaaaaaaaaaaa", 10); // no-warning`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`void testStrlcat(const char *src) {`
`@@ -51,4 +52,5 @@ void testStrlcat(const char *src) {`
`51`	`52`	`strlcat(dest, src, ulen);`
`52`	`53`	`strlcpy(dest, src, 5);`
`53`	`54`	`strlcat(dest + 5, src, badlen); // expected-warning {{The third argument allows to potentially copy more bytes than it should. Replace with the value sizeof(<destination buffer>) or lower}}`
	`55`	`+ strlcat(dest, "aaaaaaaaaaaaaaa", 10); // no-warning`
`54`	`56`	`}`