[Bug analyzer/123085] New: -Wanalyzer-out-of-bounds: false positive after pointer arithmetic in relation with strlen()

Wed, 10 Dec 2025 07:37:26 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123085

            Bug ID: 123085
           Summary: -Wanalyzer-out-of-bounds: false positive after pointer
                    arithmetic in relation with strlen()
           Product: gcc
           Version: 14.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: stefan.tauner at gmx dot at
  Target Milestone: ---

Created attachment 63030
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=63030&action=edit
reproducer

analyzer seems somehow convinced that strlen tries to access exactly as many
bytes as dirname was initialized to (in this case 2 but just try extending the
parameter to bug()).

gcc -c "fanalyzer_offbyone.c" -fanalyzer
fanalyzer_offbyone.c: In function 'bug':
fanalyzer_offbyone.c:5:12: warning: buffer over-read [CWE-126]
[-Wanalyzer-out-of-bounds]
    5 |     return strlen(dirname);
      |            ^~~~~~~~~~~~~~~
  'main': events 1-2
    |
    |    8 | int main (void) {
    |      |     ^~~~
    |      |     |
    |      |     (1) entry to 'main'
    |    9 |     return bug("/");
    |      |            ~~~~~~~~
    |      |            |
    |      |            (2) calling 'bug' from 'main'
    |
    +--> 'bug': events 3-5
           |
           |    3 | static int bug(const char *dirname) {
           |      |            ^~~
           |      |            |
           |      |            (3) entry to 'bug'
           |    4 |     dirname++;
           |    5 |     return strlen(dirname);
           |      |            ~~~~~~~~~~~~~~~
           |      |            |
           |      |            (4) while looking for null terminator for
argument 1 ('dirname') of 'strlen'...
           |      |            (5) out-of-bounds read at byte 2 but '"/"' ends
at byte 2
           |
fanalyzer_offbyone.c:5:12: note: read of 1 byte from after the end of '"/"'
    5 |     return strlen(dirname);
      |            ^~~~~~~~~~~~~~~
fanalyzer_offbyone.c:5:12: note: valid subscripts for '"/"' are '[0]' to '[1]'

                               ┌─────────────────────────────────────────┐
                               │             read of 2 bytes             │
                               └─────────────────────────────────────────┘
                                        ^                      ^
                                        │                      │
                                        │                      │
  ┌──────────────────┬─────────┬──────────────────┐   ┌──────────────────┐
  │       [0]        │   ...   │       [1]        │   │                  │
  ├──────────────────┼─────────┼──────────────────┤   │                  │
  │       '/'        │         │       NUL        │   │after valid range │
  ├──────────────────┴─────────┴──────────────────┤   │                  │
  │       string literal (type: 'char[2]')        │   │                  │
  └───────────────────────────────────────────────┘   └──────────────────┘
  ├───────────────────────┬───────────────────────┤   ├────────┬─────────┤
                          │                                    │
                   ╭──────┴──────╮                 ╭───────────┴──────────╮
                   │size: 2 bytes│                 │⚠️  over-read of 1 byte│
                   ╰─────────────╯                 ╰──────────────────────╯

Reply via email to