3

I have an example of a strcpy command that seems to be a risk of a buffer overflow, but PVS-Studio doesn’t raise a warning. In my example, strcpy is used to copy a command line argument into a buffer, without checking the size of the command line argument. This could result in a buffer overflow if the argument exceeds the size of the buffer.

Code example:

char carg1[13];
int main(int argc, char* argv[])
{
// Get name from the 1st command line arg
       strcpy(carg1, argv[1]);
…
}

The size of argv[1] isn't checked before being coping into carg1. Shouldn’t this raise a warning?

Luchian Grigore
  • 253,575
  • 64
  • 457
  • 625
Sam Johnson
  • 973
  • 9
  • 21

2 Answers2

4

It's theoretically impossible to build a perfect static analysis tool (this follows from results like the undecidability of the halting problem). As a result, all static analysis tools are at best heuristics that can try to detect certain classes of errors, and even then can't necessarily detect all of those errors.

So yes, the code you've got above looks like it has a potential buffer overflow. I honestly don't know why this particular tool can't detect the error, but my guess is that the internal heuristics the analyzer uses for some reason is failing to detect it.

Hope this helps!

templatetypedef
  • 362,284
  • 104
  • 897
  • 1,065
  • Actually, it _is_ possible to build a tool that detects all possible errors in program. Simply flagging all instructions as potentially problematic fits the bill, if only in a very disappointing way. What you cannot write is an analyzer that is both correct and complete, ie. that detects only real errors, and only those. To overcome this impossibility, static analyzers make a choice between being correct (flagging all possible errors, but emitting potentially lots of false alarms on some codes), or being unsound (ie. missing some errors). The second category is much more widespread. – byako Feb 12 '13 at 23:13
  • @BorisYakobowski- Absolutely. I was operating under the assumption of soundness, which in retrospect probably wasn't a good one. Thanks for adding that! – templatetypedef Feb 13 '13 at 00:21
1

There are 3 facts:

1) If you use Visual C++ compiler then you will receive compiler warnings 4996.

1>robust.cpp(529): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. 1> C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\include\string.h(110) : see declaration of 'strcpy'

2) PVS-Studio initially worked with Visual Studio only.

3) PVS-Studio policy is to implement diagnostic rules which are not duplicate compiler warnings.

So it is seems a logical that PVS doesn't check the case which are already was checked by Microsoft compiler for a long time already (from VS2005).

Updated: Finally PVS implemented such diagnostic rule: https://www.viva64.com/en/w/V755/print/

Andrey
  • 927
  • 11
  • 12