1.7 KiB
Buffer overrun reports fall into several "buckets" corresponding to the expected precision of the report. The higher the number, the more likely it is to be a false positive.
-
L1: The most faithful report, when it must be unsafe. For example, array size:[5,5], offset:[3,3]. -
L2: Less faithful report thanL1, when it may be unsafe. For example, array size:[5,5], offset:[0,5]. Note that the offset may be a safe value in the real execution, i.e. 0, 1, 2, 3, 4. -
L5: The least faithful report, when there is an interval top. For example, array size:[5,5], offset:[-oo,+oo]. -
L4: More faithful report thanL5, when there is an infinity value. For example, array size:[5,5], offset:[0, +oo]. -
L3: The reports that are not included in the above cases.
Other than them, there are some specific-purpose buffer overrun reports as follows.
-
R2: An array access is unsafe by risky array values fromstrndup. For example, suppose there is astrndupcall as follows.char* s1 = (char*)malloc(sizeof(char) * size); for (int i = 0; i < size; i++) { s1[i] = 'a'; } s1[5] = '\0'; char* s2 = strndup(s1, size - 1); s2[size - 1] = 'a';Even if the second parameter of
strndupissize - 1, the length ofs2can be shorter thansizeif there is the null character in the middle ofs1. -
S2: An array access is unsafe by symbolic values. For example, array size:[n,n], offset[n,+oo]. -
T1: An array access is unsafe by tainted external values. This is experimental and will be removed sooner or later. -
U5: An array access is unsafe by unknown values, which are usually from unknown function calls.