CXX.SUSPICIOUS_INDEX_CHECK
The CXX.SUSPICIOUS_INDEX_CHECK checker finds defects when a suspicious index check is present before accessing an array at a specific index.
Vulnerability and risk
If an array is accessed by an index that is beyond the array’s size, it can lead to data corruption, misbehavior, or crashing.
Mitigation and prevention
Perform proper bound checking before accessing an array at a specific index.
Vulnerable code example
Copy
int get_index(); // some function returning an index
void foo() {
const int SIZE = 10;
int arr[SIZE];
int index = get_index();
if (index >= 12) {
return;
}
arr[index] = 0;
}
Klocwork reports CXX.SUSPICIOUS_INDEX_CHECK on line 12 to warn users about the suspicious index check on line 8.
It is possible to reach the array dereference if the “index” on line 12 is 10 or 11, which can cause buffer overflow.
Fixed code example
Copy
int get_index(); // some function returning an index
void foo() {
const int SIZE = 10;
int arr[SIZE];
int index = get_index();
if (index >= 9) {
return;
}
arr[index] = 0;
}
Buffer overflow is not possible because the constraint "index >= 9" on line 8 rules out all bad behavior.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.