The index operators:
const_reference operator[](size_type pos) const; reference operator[](size_type pos);
return the character stored at the specified position if pos < size(). If pos == size(), the const
version returns the terminating null character type value. Otherwise, the behavior is undefined.
In any case, the behavior of the index operators is unchecked (no exceptions are thrown).
Non-Compliant Example
The behavior of this non-compliant example is undefined becuase the size() of bs is 8 but the index used to reference bs ranges from 0 through 99.
string bs("01234567");
for (int i=0; i<100; i++) {
bs[i] = '\0'';
}
This program does not typically raise an exception and is likely to crash.
Compliant Solution
The following compliant solution uses the basic_string at() method which behaves in a similar fashion to the index operator[] but throws an out_of_range if pos >= size().
string bs("01234567");
try {
for (int i=0; i<100; i++) {
bs.at(i) = '\0';
}
}
catch (...) {
cerr << "Index out of range" << endl;
}
Consequences
Unchecked element access can lead to out-of-bounds read and writes and write-anywhere exploits. These exploits can in turn lead to the execution of arbitrary code with the permissions of the vulnerable process.
References
- Seacord 05 Chapter 2 Strings
- ISO/IEC 14882-2003 Section 21.3.4 basic_string element access