From: Ted Kremenek <kremenek@apple.com>
Date: Thu, 28 Jul 2011 23:07:43 +0000 (+0000)
Subject: [analyzer] Add safety checking in RegionStoreManager for string literal underruns.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=31d922fdbf52ea14856f395cb1079173b33cefcd;p=clang

[analyzer] Add safety checking in RegionStoreManager for string literal underruns.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@136415 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/StaticAnalyzer/Core/RegionStore.cpp b/lib/StaticAnalyzer/Core/RegionStore.cpp
index 0e3537c0ed..c06d1a5682 100644
--- a/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1042,6 +1042,10 @@ SVal RegionStoreManager::RetrieveElement(Store store,
     SVal Idx = R->getIndex();
     if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) {
       int64_t i = CI->getValue().getSExtValue();
+      // Abort on string underrun.  This can be possible by arbitrary
+      // clients of RetrieveElement().
+      if (i < 0)
+        return UndefinedVal();
       int64_t byteLength = Str->getByteLength();
       // Technically, only i == byteLength is guaranteed to be null.
       // However, such overflows should be caught before reaching this point;