validation/sm_array_overflow4.c

   1 #include <stdio.h>
   2 #include <string.h>
   3
   4 #define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0]))
   5
   6 long long a[] = {1, 2};
   7
   8 int main(char *arg0)
   9 {
  10         short *s = a;
  11         short *s2 = (&(a));
  12         char buf[4], buf2[4];
  13         int i;
  14
  15         printf("%d\n", s[1]);
  16         printf("%d\n", s[2]);
  17         printf("%d\n", s[3]);
  18         printf("%d\n", s[4]);
  19         printf("%d\n", s[5]);
  20         printf("%d\n", s[6]);
  21         printf("%d\n", s[7]);
  22         printf("%d\n", s[8]);
  23         printf("%d\n", s2[8]);
  24         printf("%d\n", ((short *)a)[6]);
  25         printf("%d\n", ((short *)a)[8]);
  26         strcpy(buf, "1234");
  27         strcpy(buf2, arg0);
  28
  29         return 0;
  30 }
  31 /*
  32  * check-name: smatch overflow check #4
  33  * check-command: smatch --spammy sm_array_overflow4.c
  34  *
  35  * check-output-start
  36 sm_array_overflow4.c:22 main() error: buffer overflow 's' 8 <= 8
  37 sm_array_overflow4.c:23 main() error: buffer overflow 's2' 8 <= 8
  38 sm_array_overflow4.c:25 main() error: buffer overflow 'a' 8 <= 8
  39 sm_array_overflow4.c:26 main() error: strcpy() '"1234"' too large for 'buf' (5 vs 4)
  40 sm_array_overflow4.c:27 main() warn: strcpy() 'arg0' of unknown size might be too large for 'buf2'
  41  * check-output-end
  42  */