Skip to content

Commit 0e0b501

Browse files
author
Daniel Kroening
authored
Merge pull request diffblue#1463 from diffblue/mem-safety-check
check that memory for memcpy, memset and memmove is accessible
2 parents f94807d + 5777062 commit 0e0b501

File tree

3 files changed

+30
-0
lines changed

3 files changed

+30
-0
lines changed

regression/cbmc/memset3/main.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
#include <string.h>
2+
#include <stdlib.h>
3+
#include <assert.h>
4+
5+
int main()
6+
{
7+
int *A=malloc(sizeof(int)*4);
8+
9+
memset(A+20, 0, sizeof(int)); // out-of-bounds
10+
11+
return 0;
12+
}

regression/cbmc/memset3/test.desc

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
CORE
2+
main.c
3+
--pointer-check
4+
^EXIT=10$
5+
^SIGNAL=0$
6+
^VERIFICATION FAILED$
7+
\[.*] dereference failure: pointer outside dynamic object bounds in .*: FAILURE
8+
\*\* 1 of .* failed \(.*\)
9+
--
10+
^warning: ignoring

src/ansi-c/library/string.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -531,6 +531,8 @@ void *memcpy(void *dst, const void *src, size_t n)
531531
#else
532532
__CPROVER_assert(__CPROVER_POINTER_OBJECT(dst)!=
533533
__CPROVER_POINTER_OBJECT(src), "memcpy src/dst overlap");
534+
(void)*(char *)dst; // check that the memory is accessible
535+
(void)*(const char *)src; // check that the memory is accessible
534536
//for(__CPROVER_size_t i=0; i<n ; i++) ((char *)dst)[i]=((const char *)src)[i];
535537
char src_n[n];
536538
__CPROVER_array_copy(src_n, (char*)src);
@@ -561,6 +563,8 @@ void *__builtin___memcpy_chk(void *dst, const void *src, __CPROVER_size_t n, __C
561563
#else
562564
__CPROVER_assert(__CPROVER_POINTER_OBJECT(dst)!=
563565
__CPROVER_POINTER_OBJECT(src), "memcpy src/dst overlap");
566+
(void)*(char *)dst; // check that the memory is accessible
567+
(void)*(const char *)src; // check that the memory is accessible
564568
(void)size;
565569
//for(__CPROVER_size_t i=0; i<n ; i++) ((char *)dst)[i]=((const char *)src)[i];
566570
char src_n[n];
@@ -598,6 +602,7 @@ void *memset(void *s, int c, size_t n)
598602
else
599603
__CPROVER_is_zero_string(s)=0;
600604
#else
605+
(void)*(char *)s; // check that the memory is accessible
601606
//char *sp=s;
602607
//for(__CPROVER_size_t i=0; i<n ; i++) sp[i]=c;
603608
unsigned char s_n[n];
@@ -659,6 +664,7 @@ void *__builtin___memset_chk(void *s, int c, __CPROVER_size_t n, __CPROVER_size_
659664
else
660665
__CPROVER_is_zero_string(s)=0;
661666
#else
667+
(void)*(char *)s; // check that the memory is accessible
662668
(void)size;
663669
//char *sp=s;
664670
//for(__CPROVER_size_t i=0; i<n ; i++) sp[i]=c;
@@ -693,6 +699,8 @@ void *memmove(void *dest, const void *src, size_t n)
693699
else
694700
__CPROVER_is_zero_string(dest)=0;
695701
#else
702+
(void)*(char *)dest; // check that the memory is accessible
703+
(void)*(const char *)src; // check that the memory is accessible
696704
char src_n[n];
697705
__CPROVER_array_copy(src_n, (char*)src);
698706
__CPROVER_array_replace((char*)dest, src_n);

0 commit comments

Comments
 (0)