False positive out of bounds (C)

rcr · November 19, 2018, 8:10pm

I haven’t tried a minimal test case in practice, but unless I’m missing something, I believe the code can be reduced to:

#define MAX_SEARCH 10

char buf[MAX_SEARCH];
size_t buf_i;

void
foo(char c)
{
    if (buf_i < (sizeof(buf) - 1)) {
        buf[buf_i++] = c;
        buf[buf_i] = 0;
    }
}

If buf_i is strictly less than (sizeof(buf) - 1)) we have
buf_i < (10 - 1)
buf_i is at most 8.
In which case both accesses to
buf[8]
buf[9]
are valid, though the later is being reported as out of bounds.

JolyLoic · November 20, 2018, 11:27am

Hello Richard,

You are right this is a bug, and I’ve been able to reproduce it with your sample, and to reduce it even further:

char buf[10];
unsigned long long buf_i;

void foo() {
    if (buf_i < 5) {
        buf[buf_i+1] = 0;
    }
}

It seems that the problem generates false-positives on a limited number of case. In the above example, no false-positive are raised for “unsigned long” for example.
This is a good finding, thanks for having raised our attention on it.

There is sadly no easy quick fix I can do so for the moment there is no any ETA to solve this problem. Until we managed to find a solution, I recommend you to flag this issue as false-positive.

Topic		Replies	Views
[c] Out of bound memory acess not detected in for loop Report False-positive / False-negative... cfamily	6	1107	October 6, 2022
False positive for "Out of bound memory access (accessed memory precedes memory block)" in C Report False-positive / False-negative... cfamily	6	3644	January 6, 2020
Out of bounds incorrectly detected SonarQube Cloud cfamily	3	417	March 18, 2022
FP Rule c:S3519 Out of bound memory access (accessed memory precedes memory block) Report False-positive / False-negative... sonarqube , cfamily	6	1008	January 13, 2023
C analysis missing detection of out of bound memory access SonarQube Server / Community Build sonarqube , cfamily	1	541	January 15, 2020

False positive out of bounds (C)

Related topics