[analyzer] Add safety checking in RegionStoreManager for string literal underruns.

author Ted Kremenek <kremenek@apple.com>

Thu, 28 Jul 2011 23:07:43 +0000 (23:07 +0000)

committer Ted Kremenek <kremenek@apple.com>

Thu, 28 Jul 2011 23:07:43 +0000 (23:07 +0000)
author Ted Kremenek <kremenek@apple.com>
Thu, 28 Jul 2011 23:07:43 +0000 (23:07 +0000)
committer Ted Kremenek <kremenek@apple.com>
Thu, 28 Jul 2011 23:07:43 +0000 (23:07 +0000)
diff --git a/lib/StaticAnalyzer/Core/RegionStore.cpp b/lib/StaticAnalyzer/Core/RegionStore.cpp

index 0e3537c0ed44e85e9b66e48beb9d280fd8b68c00..c06d1a56826bf8b8b4b5f56b93df4684639b88be 100644 (file)
--- a/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1042,6 +1042,10 @@ SVal RegionStoreManager::RetrieveElement(Store store,
      SVal Idx = R->getIndex();
      if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) {
        int64_t i = CI->getValue().getSExtValue();
+      // Abort on string underrun.  This can be possible by arbitrary
+      // clients of RetrieveElement().
+      if (i < 0)
+        return UndefinedVal();
        int64_t byteLength = Str->getByteLength();
        // Technically, only i == byteLength is guaranteed to be null.
        // However, such overflows should be caught before reaching this point;
author	Ted Kremenek <kremenek@apple.com>
	Thu, 28 Jul 2011 23:07:43 +0000 (23:07 +0000)
committer	Ted Kremenek <kremenek@apple.com>
	Thu, 28 Jul 2011 23:07:43 +0000 (23:07 +0000)