Fix buffer overflow reported in PR 4903. llvm-svn: 81092

commit: b5850f9c80587893cc790a85bd08ad58179b8d49 [log] [tgz]
author: Ted Kremenek <kremenek@apple.com> Sat Sep 05 17:59:01 2009 +0000
committer: Ted Kremenek <kremenek@apple.com> Sat Sep 05 17:59:01 2009 +0000
tree: 3dafca426af250ed076fb08bc3763549be0e442e
parent: 25900fc909769128884cffa4abfdae4327ded20e [diff] [blame]
diff --git a/clang/lib/Analysis/RegionStore.cpp b/clang/lib/Analysis/RegionStore.cpp
index 4c86107..5114035 100644
--- a/clang/lib/Analysis/RegionStore.cpp
+++ b/clang/lib/Analysis/RegionStore.cpp

@@ -1010,11 +1010,14 @@
     SVal Idx = R->getIndex();
     if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) {
       int64_t i = CI->getValue().getSExtValue();
-      char c;
-      if (i == Str->getByteLength())
-        c = '\0';
-      else
-        c = Str->getStrData()[i];
+      int64_t byteLength = Str->getByteLength();      
+      if (i > byteLength) {
+        // Buffer overflow checking in GRExprEngine should handle this case,
+        // but we shouldn't rely on it to not overflow here if that checking
+        // is disabled.
+        return UnknownVal();
+      }      
+      char c = (i == byteLength) ? '\0' : Str->getStrData()[i];
       return ValMgr.makeIntVal(c, getContext().CharTy);
     }
   }
commit	b5850f9c80587893cc790a85bd08ad58179b8d49	[log] [tgz]
author	Ted Kremenek <kremenek@apple.com>	Sat Sep 05 17:59:01 2009 +0000
committer	Ted Kremenek <kremenek@apple.com>	Sat Sep 05 17:59:01 2009 +0000
tree	3dafca426af250ed076fb08bc3763549be0e442e
parent	25900fc909769128884cffa4abfdae4327ded20e [diff] [blame]