aboutsummaryrefslogtreecommitdiff
path: root/lib/Analysis/ReturnPointerRangeChecker.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'lib/Analysis/ReturnPointerRangeChecker.cpp')
-rw-r--r--lib/Analysis/ReturnPointerRangeChecker.cpp19
1 files changed, 14 insertions, 5 deletions
diff --git a/lib/Analysis/ReturnPointerRangeChecker.cpp b/lib/Analysis/ReturnPointerRangeChecker.cpp
index 4ca72716a8..181d736199 100644
--- a/lib/Analysis/ReturnPointerRangeChecker.cpp
+++ b/lib/Analysis/ReturnPointerRangeChecker.cpp
@@ -51,10 +51,13 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
if (!ER)
- return;
+ return;
DefinedOrUnknownSVal &Idx = cast<DefinedOrUnknownSVal>(ER->getIndex());
+ // FIXME: All of this out-of-bounds checking should eventually be refactored into a
+ // common place.
+
// Zero index is always in bound, this also passes ElementRegions created for
// pointer casts.
if (Idx.isZeroConstant())
@@ -72,15 +75,21 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
if (!N)
return;
+ // FIXME: This bug correspond to CWE-466. Eventually we should have bug types explicitly
+ // reference such exploit categories (when applicable).
if (!BT)
- BT = new BuiltinBug("Return of Pointer Value Outside of Expected Range");
-
+ BT = new BuiltinBug("Return of pointer value outside of expected range",
+ "Returned pointer value points outside the original object (potential buffer overflow)");
+
+ // FIXME: It would be nice to eventually make this diagnostic more clear, e.g., by referencing
+ // the original declaration or by saying *why* this reference is outside the range.
+
// Generate a report for this bug.
RangedBugReport *report =
new RangedBugReport(*BT, BT->getDescription().c_str(), N);
- report->addRange(RS->getSourceRange());
-
+ report->addRange(RetE->getSourceRange());
+
C.EmitReport(report);
}
}
generated by cgit v1.2.3-18-g5258 (git 2.32.0) at 2025-05-03 04:28:33 +0000