diff options
| author | Ted Kremenek <kremenek@apple.com> | 2009-11-06 20:16:31 +0000 |
|---|---|---|
| committer | Ted Kremenek <kremenek@apple.com> | 2009-11-06 20:16:31 +0000 |
| commit | 6f516f50e53b621613d281ef186c76c5160d9d35 (patch) | |
| tree | 4e17bcf370b1684adba8ebeaaddce5300944f25c /lib/Analysis/ReturnPointerRangeChecker.cpp | |
| parent | a031b35ba4da13e105a349493f5351014cfb3354 (diff) | |
Sentence-case bug type, and pull tests from region-only-test.c into misc-ps-region.store.m (removing an extra unneeded test file). Also add a bunch of FIXME comments for future enhancements.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86282 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'lib/Analysis/ReturnPointerRangeChecker.cpp')
| -rw-r--r-- | lib/Analysis/ReturnPointerRangeChecker.cpp | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/lib/Analysis/ReturnPointerRangeChecker.cpp b/lib/Analysis/ReturnPointerRangeChecker.cpp index 4ca72716a8..181d736199 100644 --- a/lib/Analysis/ReturnPointerRangeChecker.cpp +++ b/lib/Analysis/ReturnPointerRangeChecker.cpp @@ -51,10 +51,13 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R); if (!ER) - return; + return; DefinedOrUnknownSVal &Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); + // FIXME: All of this out-of-bounds checking should eventually be refactored into a + // common place. + // Zero index is always in bound, this also passes ElementRegions created for // pointer casts. if (Idx.isZeroConstant()) @@ -72,15 +75,21 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, if (!N) return; + // FIXME: This bug correspond to CWE-466. Eventually we should have bug types explicitly + // reference such exploit categories (when applicable). if (!BT) - BT = new BuiltinBug("Return of Pointer Value Outside of Expected Range"); - + BT = new BuiltinBug("Return of pointer value outside of expected range", + "Returned pointer value points outside the original object (potential buffer overflow)"); + + // FIXME: It would be nice to eventually make this diagnostic more clear, e.g., by referencing + // the original declaration or by saying *why* this reference is outside the range. + // Generate a report for this bug. RangedBugReport *report = new RangedBugReport(*BT, BT->getDescription().c_str(), N); - report->addRange(RS->getSourceRange()); - + report->addRange(RetE->getSourceRange()); + C.EmitReport(report); } } |