array index out of bounds can't be checked

[wy163]

Hello,

With below code, the error that array index out of bounds can't be checked.

void foo(int x)
{
    int buf[10];
    if (x == 1000)
        buf[x] = 0;
}

With passing 1000 to the function foo, there should be an error of index is out of bounds. But seems this can not be checked by cppcheck.
Do you know why? Thanks!

[CHR]

Output from the (outdated) online demo:

Cppcheck 2.10
[test.cpp:4] -> [test.cpp:5]: (warning) Either the condition 'x==1000' is redundant or the array 'buf[10]' is accessed at index 1000, which is out of bounds.

Which version do you use?

[wy163]

HI, my version is Cppcheck 2.16.0. Is there any option that need to be turned on to display the warnings? My command is just like below without using any option.
./cppcheck arrayIndexOutOfBounds.c

[CHR]

You need to pass (at least) --enable=warning. By default, only errors are reported.

[wy163]

HI CHR, thanks so much for your reply. And I have another separated question. Could you help take a look. This problem is actually a famous example which is explained on below link.
https://www.theregister.com/2014/01/09/x11_has_privilege_escalation_bug/. I copied the code piece from the checked file where the error should be.

    if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
        bdfError("bad character name in BDF file\n");
        goto BAILOUT;   /* bottom of function, free and return error */
    }

The charName should be copied with a limited length.

But I can't get the expected error which should be checked by the cppcheck.

./cppcheck --enable=warning bdfread.c 

I attached the file bdfread.c and copied my result below.

../../main_sample/checkcpp/1/bdfread.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]

^
../../main_sample/checkcpp/1/bdfread.c:706:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->pointSizeProp = &props[nextProp];
 ^
../../main_sample/checkcpp/1/bdfread.c:713:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->fontProp = &props[nextProp];
 ^
../../main_sample/checkcpp/1/bdfread.c:720:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->weightProp = &props[nextProp];
 ^
../../main_sample/checkcpp/1/bdfread.c:728:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->resolutionProp = &props[nextProp];
 ^
../../main_sample/checkcpp/1/bdfread.c:735:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->resolutionProp = &props[nextProp];
 ^
../../main_sample/checkcpp/1/bdfread.c:742:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->resolutionProp = &props[nextProp];
 ^
../../main_sample/checkcpp/1/bdfread.c:749:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->xHeightProp = &props[nextProp];
 ^
../../main_sample/checkcpp/1/bdfread.c:756:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->quadWidthProp = &props[nextProp];

[Daniel Marjamäki]

With Cppcheck 2.16.0 I get this output:

bdfread.c:341:6: warning: sscanf() without field width limits can crash with huge input data. [invalidscanf]
 if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
     ^

I scanned the bdfread.c you attached and I used the same flags you did:

$ ~/.cppcheck/cppcheck-2.16.0 --enable=warning bdfread.c

[Daniel Marjamäki]

The full output I get is:

Checking bdfread.c ...
bdfread.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]

^
bdfread.c:706:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->pointSizeProp = &props[nextProp];
 ^
bdfread.c:713:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->fontProp = &props[nextProp];
 ^
bdfread.c:720:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->weightProp = &props[nextProp];
 ^
bdfread.c:728:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->resolutionProp = &props[nextProp];
 ^
bdfread.c:735:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->resolutionProp = &props[nextProp];
 ^
bdfread.c:742:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->resolutionProp = &props[nextProp];
 ^
bdfread.c:749:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->xHeightProp = &props[nextProp];
 ^
bdfread.c:756:2: error: Address of local auto-variable assigned to a function parameter. [autoVariables]
 pState->quadWidthProp = &props[nextProp];
 ^
bdfread.c:341:6: warning: sscanf() without field width limits can crash with huge input data. [invalidscanf]
 if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
     ^
bdfread.c:547:18: warning: sscanf() without field width limits can crash with huge input data. [invalidscanf]
    if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
                 ^
bdfread.c:553:18: warning: sscanf() without field width limits can crash with huge input data. [invalidscanf]
    if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
                 ^
bdfread.c:636:10: warning: sscanf() without field width limits can crash with huge input data. [invalidscanf]
 switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
         ^
Checking bdfread.c: HAVE_CONFIG_H...
Checking bdfread.c: HAVE_STDINT_H...
Checking bdfread.c: INT32_MAX...

So it seems you get the errors but not the warnings. That is pretty strange.

[wy163]

Hi, I got where the problem is. It's my problem. Sorry for the trouble.