Pointer overflow checks should detect overflow in offset multiplication

tautschnig · tautschnig · commit 35d46f3945a2 · 2022-02-03T18:13:22.000Z
Pointer arithmetic requires multiplication of the offset by the size of the base type (for any base type larger than 1 byte). Such a multiplication isn't introduced until the back-end, where no opportunity for adding properties exists anymore. Therefore, synthesize the multiplication to generate arithmetic overflow checks at the GOTO level. Fixes: diffblue#6631
diff --git a/regression/cbmc/pointer-overflow4/main.c b/regression/cbmc/pointer-overflow4/main.c
@@ -0,0 +1,11 @@
+#include <stdint.h>
+
+int main()
+{
+  int32_t i[5];
+  // Offset 1 resulted in spuriously failing to detect an overflow in pointer
+  // arithmetic in the next line for PTRDIFF_MAX * 4 + 4 = 0 in wrap-around
+  // semantics. Any other offset would yield the expected failure.
+  int32_t *p = &i[1];
+  int32_t *q = p + PTRDIFF_MAX;
+}
diff --git a/regression/cbmc/pointer-overflow4/test.desc b/regression/cbmc/pointer-overflow4/test.desc
@@ -0,0 +1,10 @@
+CORE
+main.c
+--pointer-overflow-check
+^\[main.overflow.1\] line 17 arithmetic overflow on signed \* in (0x)?[0-9a-fA-F]+l* \* \(signed (long (long )?)?int\)4ul*: FAILURE$
+^\*\* 1 of \d+ failed
+^VERIFICATION FAILED$
+^EXIT=10$
+^SIGNAL=0$
+--
+^warning: ignoring
diff --git a/src/analyses/goto_check_c.cpp b/src/analyses/goto_check_c.cpp
@@ -1346,6 +1346,32 @@ void goto_check_ct::pointer_overflow_check(
     expr.operands().size() == 2,
     "pointer arithmetic expected to have exactly 2 operands");
 
+  // multiplying the offset by the object size must not result in arithmetic
+  // overflow
+  const typet &object_type = to_pointer_type(expr.type()).base_type();
+  if(object_type.id() != ID_empty)
+  {
+    auto size_of_expr_opt = size_of_expr(object_type, ns);
+    CHECK_RETURN(size_of_expr_opt.has_value());
+    exprt object_size = size_of_expr_opt.value();
+
+    const binary_exprt &binary_expr = to_binary_expr(expr);
+    exprt offset_operand = binary_expr.lhs().type().id() == ID_pointer
+                             ? binary_expr.rhs()
+                             : binary_expr.lhs();
+    mult_exprt mul{
+      offset_operand,
+      typecast_exprt::conditional_cast(object_size, offset_operand.type())};
+    mul.add_source_location() = offset_operand.source_location();
+
+    flag_resett resetter(offset_operand.source_location());
+    resetter.set_flag(
+      enable_signed_overflow_check, true, "signed_overflow_check");
+    resetter.set_flag(
+      enable_unsigned_overflow_check, true, "unsigned_overflow_check");
+    integer_overflow_check(mul, guard);
+  }
+
   // the result must be within object bounds or one past the end
   const auto size = from_integer(0, size_type());
   auto conditions = get_pointer_dereferenceable_conditions(expr, size);
