Page History

...

Code Block

bgColor	#ffcccc
lang	c

#include <stdlib.h>
 
struct S {
  size_t len;
  char buf[];  /* Flexible array member */
};

const char *find(const struct S *s, int c) {
  const char *first = s->buf;
  const char *last  = s->buf + s->len;

  while (first++ != last) { /* Undefined behavior */
    if (*first == (unsigned char)c) {
      return first;
    }
  }
  return NULL;
}
 
void g(void) {
  struct S *s = (struct S *)malloc(sizeof(struct S));
  if (s == NULL) {
    /* Handle error */
  }
  s->len = 0;
  find(s, 'a');
}

...

Code Block

bgColor	#ccccff
lang	c

#include <stdlib.h>
 
struct S {
  size_t len;
  char buf[];  /* Flexible array member */
};

const char *find(const struct S *s, int c) {
  const char *first = s->buf;
  const char *last  = s->buf + s->len;

  while (first != last) { /* Avoid incrementing here */
    if (*++first == (unsigned char)c) {
      return first;
    }
  }
  return NULL;
}
 
void g(void) {
  struct S *s = (struct S *)malloc(sizeof(struct S));
  if (s == NULL) {
    /* Handle error */
  }
  s->len = 0;
  find(s, 'a');
}

...

KlocworkKlocworkABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.STACK
ABV.TAINTED
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
ABV.UNKNOWN_SIZE
NNTS.MIGHT
NNTS.MUST
NNTS.TAINTED
SV.STRBO.BOUND_COPY.OVERFLOW
SV.STRBO.BOUND_COPY.UNTERM
SV.STRBO.BOUND_SPRINTF
SV.TAINTED.ALLOC_SIZE
SV.TAINTED.CALL.INDEX_ACCESS
SV.TAINTED.CALL.LOOP_BOUNDSV.UNBOUND_STRING_INPUT.CIN
SV.UNBOUND_STRING_INPUT.FUNCPolyspace Bug Finder: Rule C

Checks for:

Array access

Pointer access out of bounds

Array access with tainted index

Use of tainted pointer

Pointer dereference with tainted offset

Rule partially covered.

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

array-index-range
array-index-range-constant
null-dereferencing
pointered-deallocation
return-reference-local

Partially checked

Can detect all accesses to invalid pointers as well as array index out-of-bounds accesses and prove their absence.

This rule is only partially checked as invalid but unused pointers may not be reported.

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-ARR30

Can detect out-of-bound access to array / buffer

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

LANG.MEM.BO
LANG.MEM.BU
LANG.MEM.TBA
LANG.MEM.TO
LANG.MEM.TU
LANG.STRUCT.PARITH
LANG.STRUCT.PBB
LANG.STRUCT.PPE
BADFUNC.BO.*

Buffer overrun
Buffer underrun
Tainted buffer access
Type overrun
Type underrun
Pointer Arithmetic
Pointer before beginning of object
Pointer past end of object
A collection of warning classes that report uses of library functions prone to internal buffer overflows.

Compass/ROSE

Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern:

   for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\';
   *pwszTemp++;)

In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax

Coverity

Include Page

	Coverity_V
	Coverity_V

OVERRUN

NEGATIVE_RETURNS

ARRAY_VS_SINGLETON

BUFFER_SIZE

Can detect the access of memory past the end of a memory buffer/array

Can detect when the loop bound may become negative

Can detect the out-of-bound read/write to array allocated statically or dynamically

Can detect buffer overflows

Cppcheck

Include Page

	Cppcheck_V
	Cppcheck_V

arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds

Context sensitive analysis of array index, pointers, etc.

Array index out of bounds

Buffer overflow when calling various functions memset,strcpy,..

Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead

Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds

Klocwork Cppcheck Premium

Include Page

	Cppcheck Premium_V

	Cppcheck Premium_V

arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds

premium-cert-arr30-c

Context sensitive analysis of array index, pointers, etc.

Array index out of bounds

Buffer overflow when calling various functions memset,strcpy,..

Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead

Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C2840

DF2820, DF2821, DF2822, DF2823, DF2840, DF2841, DF2842, DF2843, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938, DF2950, DF2951, DF2952, DF2953

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

ABV.GENERAL
ABV.GENERAL.MULTIDIMENSION
NPD.FUNC.CALL.MIGHT
ABV.ANY_SIZE_ARRAY
ABV.STACK
ABV.TAINTED
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
ABV.UNKNOWN_SIZE
NNTS.MIGHT
NNTS.MUST
NNTS.TAINTED

SV.TAINTED.INDEX_ACCESS
SV.TAINTED.LOOP_BOUND

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X

Partially implemented

Parasoft C/C++test

Include Page

	Parasoft_V	Parasoft_V

CERT_C-ARR30-a

Avoid accessing arrays out of bounds

Parasoft Insure++

Runtime analysis

Polyspace Bug Finder

Include Page

Polyspace Bug Finder_V

Parasoft_V

CERT_C

-ARR30-

a

Avoid accessing arrays

out of bounds

Parasoft Insure++

Runtime analysis

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

413, 415, 416, 613, 661, 662, 676

Fully supported

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rule ARR30-C

Checks for:

Array access out of bounds
Pointer access out of bounds
Array access with tainted index
Use of tainted pointer
Pointer dereference with tainted offset

Rule partially covered.

PRQA QA-C

Include Page

PRQA QA-C_v

2820, 2821, 2822, 2823, 2840, 2841, 2842, 2843, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938, 2950, 2951, 2952, 2953

Partially implemented

PRQA QA-C++

Include Page

cplusplus:PRQA QA-C++_V

2820, 2821, 2822, 2823, 2824, 2840, 2841,

2842, 2843, 2844, 2930, 2931, 2932,2935,

2936, 2937, 2938, 2939, 2950, 2951, 2952

Partially implemented

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V512, V557, V582, V594, V643, V645, V694, V1086

RuleChecker

Include Page

	RuleChecker_V
	RuleChecker_V

array-index-range-constant
return-reference-local

Partially checked

TrustInSoft Analyzer

Include Page

	TrustInSoft Analyzer_V
	TrustInSoft Analyzer_V

index_in_address

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].

...

Space shortcuts

Page tree

Versions Compared

Old Version 151

New Version Current

Key

Related Vulnerabilities