Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ffcccc
langc
#include <stdlib.h>
 
struct S {
  size_t len;
  char buf[];  /* Flexible array member */
};

const char *find(const struct S *s, int c) {
  const char *first = s->buf;
  const char *last  = s->buf + s->len;

  while (first++ != last) { /* Undefined behavior */
    if (*first == (unsigned char)c) {
      return first;
    }
  }
  return NULL;
}
 
void g(void) {
  struct S *s = (struct S *)malloc(sizeof(struct S));
  if (s == NULL) {
    /* Handle error */
  }
  s->len = 0;
  find(s, 'a');
}

...

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
 
struct S {
  size_t len;
  char buf[];  /* Flexible array member */
};

const char *find(const struct S *s, int c) {
  const char *first = s->buf;
  const char *last  = s->buf + s->len;

  while (first != last) { /* Avoid incrementing here */
    if (*++first == (unsigned char)c) {
      return first;
    }
  }
  return NULL;
}
 
void g(void) {
  struct S *s = (struct S *)malloc(sizeof(struct S));
  if (s == NULL) {
    /* Handle error */
  }
  s->len = 0;
  find(s, 'a');
}

...

KlocworkKlocworkABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.STACK
ABV.TAINTED
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
ABV.UNKNOWN_SIZE
NNTS.MIGHT
NNTS.MUST
NNTS.TAINTED
SV.STRBO.BOUND_COPY.OVERFLOW
SV.STRBO.BOUND_COPY.UNTERM
SV.STRBO.BOUND_SPRINTF
SV.TAINTED.ALLOC_SIZE
SV.TAINTED.CALL.INDEX_ACCESS
SV.TAINTED.CALL.LOOP_BOUNDSV.UNBOUND_STRING_INPUT.CIN
SV.UNBOUND_STRING_INPUT.FUNC
Polyspace Bug Finder: Rule C

Checks for:

Array access
  • Pointer access out of bounds
  • Array access with tainted index
  • Use of tainted pointer
  • Pointer dereference with tainted offset
  • Rule partially covered.

    Tool

    Version

    Checker

    Description

    Astrée
    Include Page
    Astrée_V
    Astrée_V

    array-index-range
    array-index-range-constant
    null-dereferencing
    pointered-deallocation
    return-reference-local

    Partially checked

    Can detect all accesses to invalid pointers as well as array index out-of-bounds accesses and prove their absence.

    This rule is only partially checked as invalid but unused pointers may not be reported.

    Axivion Bauhaus Suite

    Include Page
    Axivion Bauhaus Suite_V
    Axivion Bauhaus Suite_V

    CertC-ARR30
    Can detect out-of-bound access to array / buffer
    CodeSonar
    Include Page
    CodeSonar_V
    CodeSonar_V

    LANG.MEM.BO
    LANG.MEM.BU
    LANG.MEM.TBA
    LANG.MEM.TO
    LANG.MEM.TU
    LANG.STRUCT.PARITH
    LANG.STRUCT.PBB
    LANG.STRUCT.PPE
    BADFUNC.BO.*

    Buffer overrun
    Buffer underrun
    Tainted buffer access
    Type overrun
    Type underrun
    Pointer Arithmetic
    Pointer before beginning of object
    Pointer past end of object
    A collection of warning classes that report uses of library functions prone to internal buffer overflows.

    Compass/ROSE

    Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern:

       for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\';
    *pwszTemp++;)

    In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax

    Coverity

    Include Page
    Coverity_V
    Coverity_V

    OVERRUN

    NEGATIVE_RETURNS

    ARRAY_VS_SINGLETON

    BUFFER_SIZE

    Can detect the access of memory past the end of a memory buffer/array

    Can detect when the loop bound may become negative

    Can detect the out-of-bound read/write to array allocated statically or dynamically

    Can detect buffer overflows

    Cppcheck
    Include Page
    Cppcheck_V
    Cppcheck_V

    arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond,  possibleBufferAccessOutOfBounds

    Context sensitive analysis of array index, pointers, etc.

    Array index out of bounds

    Buffer overflow when calling various functions memset,strcpy,..

    Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead

    Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds

    KlocworkCppcheck Premium

    Include Page

    Cppcheck Premium_V

    Cppcheck Premium_V

    arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond,  possibleBufferAccessOutOfBounds

    premium-cert-arr30-c

    Context sensitive analysis of array index, pointers, etc.

    Array index out of bounds

    Buffer overflow when calling various functions memset,strcpy,..

    Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead

    Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds

    Helix QAC

    Include Page
    Helix QAC_V
    Helix QAC_V

    C2840

    DF2820, DF2821, DF2822, DF2823, DF2840, DF2841, DF2842, DF2843, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938, DF2950, DF2951, DF2952, DF2953


    Klocwork
    Include Page
    Klocwork_V
    Klocwork_V

    ABV.GENERAL
    ABV.GENERAL.MULTIDIMENSION
    NPD.FUNC.CALL.MIGHT
    ABV.ANY_SIZE_ARRAY
    ABV.STACK
    ABV.TAINTED
    ABV.UNICODE.BOUND_MAP
    ABV.UNICODE.FAILED_MAP
    ABV.UNICODE.NNTS_MAP
    ABV.UNICODE.SELF_MAP
    ABV.UNKNOWN_SIZE
    NNTS.MIGHT
    NNTS.MUST
    NNTS.TAINTED


    SV.TAINTED.INDEX_ACCESS
    SV.TAINTED.LOOP_BOUND


    LDRA tool suite
     
    Include Page
    LDRA_V
    LDRA_V

    45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X

    Partially implemented
    Parasoft C/C++test
    Include Page
    Parasoft_VParasoft_VCERT_C-ARR30-a
    Avoid accessing arrays out of boundsParasoft Insure++Runtime analysisPolyspace Bug Finder
    Include Page
    Polyspace Bug Finder_V++test
    Include Page
    Parasoft_V
    Parasoft
    _V
    CERT_C-ARR30-a
    Avoid accessing arrays out of bounds
    Parasoft Insure++

    Runtime analysis
    PC-lint Plus

    Include Page
    PC-lint Plus_V
    PC-lint Plus_V

    413, 415, 416, 613, 661, 662, 676

    Fully supported

    Polyspace Bug Finder

    Include Page
    Polyspace Bug Finder_V
    Polyspace Bug Finder_V

    CERT C: Rule ARR30-C

    Checks for:

    • Array access out of bounds
    • Pointer access out of bounds
    • Array access with tainted index
    • Use of tainted pointer
    • Pointer dereference with tainted offset

    Rule partially covered.

    PRQA QA-C
    Include Page
    PRQA QA-C_vPRQA QA-C_v

    2840, 2841, 2842, 2843, 2844, 2930, 2931,

    2932, 2933, 2934, 2935, 2936, 2937, 2938,

    2939, 2950, 2951, 2952, 2953

    Partially implementedPRQA QA-C++
    Include Page
    cplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_V

    2820, 2821, 2822, 2823, 2824, 2840, 2841,

    2842, 2843, 2844, 2930, 2931, 2932,2935,

    2936, 2937, 2938, 2939, 2950, 2951, 2952

    Partially implemented

    PVS-Studio

    Include Page
    PVS-Studio_V
    PVS-Studio_V

    V512, V557, V582, V594, V643, V645, V694, V1086
    RuleChecker

    Include Page
    RuleChecker_V
    RuleChecker_V

    array-index-range-constant
    return-reference-local
    Partially checked
    TrustInSoft Analyzer

    Include Page
    TrustInSoft Analyzer_V
    TrustInSoft Analyzer_V

    index_in_address

    Exhaustively verified (see one compliant and one non-compliant example).

    Related Vulnerabilities

    CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].

    ...