llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT--> @llvm/pr-subscribers-clang-static-analyzer-1 Author: Balazs Benics (steakhal) <details> <summary>Changes</summary> In #<!-- -->93408 https://github.com/llvm/llvm-project/commit/69bc159142c6e4ed168e32a6168392d396f891de I refined how invalidation is done for `fread`. It can crash, if the "size" or "count" parameters of "fread" is a perfectly constrained negative value. In such cases, when it will try to allocate a SmallVector with a negative size, which will cause a crash. To mitigate this issue, let's just guard against negative values. CPP-3247 --- Full diff: https://github.com/llvm/llvm-project/pull/108393.diff 2 Files Affected: - (modified) clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp (+1-1) - (modified) clang/test/Analysis/fread.c (+30) ``````````diff diff --git a/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp index 22061373c4b393..8bb7880a3cc283 100644 --- a/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp @@ -1129,7 +1129,7 @@ tryToInvalidateFReadBufferByElements(ProgramStateRef State, CheckerContext &C, if (!ElemTy.isNull() && CountVal && Size && StartIndexVal) { int64_t NumBytesRead = Size.value() * CountVal.value(); int64_t ElemSizeInChars = Ctx.getTypeSizeInChars(ElemTy).getQuantity(); - if (ElemSizeInChars == 0) + if (ElemSizeInChars == 0 || NumBytesRead < 0) return nullptr; bool IncompleteLastElement = (NumBytesRead % ElemSizeInChars) != 0; diff --git a/clang/test/Analysis/fread.c b/clang/test/Analysis/fread.c index 3f286421fd7a13..d470f0abebe621 100644 --- a/clang/test/Analysis/fread.c +++ b/clang/test/Analysis/fread.c @@ -443,3 +443,33 @@ void test_unaligned_start_read(void) { fclose(fp); } } + +void no_crash_if_count_is_negative(long s, unsigned char *buffer) { + FILE *fp = fopen("path", "r"); + if (fp) { + if (s * s == -1) { + fread(buffer, 1, s * s, fp); // no-crash + } + fclose(fp); + } +} + +void no_crash_if_size_is_negative(long s, unsigned char *buffer) { + FILE *fp = fopen("path", "r"); + if (fp) { + if (s * s == -1) { + fread(buffer, s * s, 1, fp); // no-crash + } + fclose(fp); + } +} + +void no_crash_if_size_and_count_are_negative(long s, unsigned char *buffer) { + FILE *fp = fopen("path", "r"); + if (fp) { + if (s * s == -1) { + fread(buffer, s * s, s * s, fp); // no-crash + } + fclose(fp); + } +} `````````` </details> https://github.com/llvm/llvm-project/pull/108393 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
