CWE Rule 787
Description
Rule Description
The software writes data past the end, or before the beginning, of the intended buffer.
Polyspace Implementation
The rule checker checks for these issues:
- Destination buffer overflow in string manipulation 
- Destination buffer underflow in string manipulation 
Examples
This issue occurs when certain string manipulation functions write to their destination buffer argument at an offset greater than the buffer size.
For instance, when calling the function sprintf(char*
buffer, const char* format), you use a constant string format of
greater size than buffer.
Buffer overflow can cause unexpected behavior such as memory corruption or stopping your system. Buffer overflow also introduces the risk of code injection.
One possible solution is to use alternative functions to constrain the number of characters written. For instance:
- If you use - sprintfto write formatted data to a string, use- snprintf,- _snprintfor- sprintf_sinstead to enforce length control. Alternatively, use- asprintfto automatically allocate the memory required for the destination buffer.
- If you use - vsprintfto write formatted data from a variable argument list to a string, use- vsnprintfor- vsprintf_sinstead to enforce length control.
- If you use - wcscpyto copy a wide string, use- wcsncpy,- wcslcpy, or- wcscpy_sinstead to enforce length control.
Another possible solution is to increase the buffer size.
#include <stdio.h>
void func(void) {
    char buffer[20];
    char *fmt_string = "This is a very long string, it does not fit in the buffer";
    sprintf(buffer, fmt_string);  //Noncompliant
}In this example, buffer can contain 20 char elements
but fmt_string has a greater size.
snprintf Instead
of sprintfOne possible correction is to use the snprintf function
to enforce length control.
#include <stdio.h>
void func(void) {
    char buffer[20];
    char *fmt_string = "This is a very long string, it does not fit in the buffer";
    snprintf(buffer, 20, fmt_string);
}This issue occurs when certain string manipulation functions write to their destination buffer argument at a negative offset from the beginning of the buffer.
For instance, for the function sprintf(char* buffer,
const char* format), you obtain the buffer from
an operation buffer = (char*)arr; ... buffer += offset;. arr is
an array and offset is a negative value.
Buffer underflow can cause unexpected behavior such as memory corruption or stopping your system. Buffer underflow also introduces the risk of code injection.
If the destination buffer argument results from pointer arithmetic, see if you are decrementing a pointer. Fix the pointer decrement by modifying either the original value before decrement or the decrement value.
#include <stdio.h>
#define offset -2
void func(void) {
    char buffer[20];
    char *fmt_string ="Text";
    sprintf(&buffer[offset], fmt_string);  //Noncompliant
}In this example, &buffer[offset] is at
a negative offset from the memory allocated to buffer.
One possible correction is to change the value of offset.
#include <stdio.h>
#define offset 2
void func(void) {
    char buffer[20];
    char *fmt_string ="Text";
    sprintf(&buffer[offset], fmt_string);     
}Check Information
| Category: Memory Buffer Errors | 
Version History
Introduced in R2023a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Seleccione un país/idioma
Seleccione un país/idioma para obtener contenido traducido, si está disponible, y ver eventos y ofertas de productos y servicios locales. Según su ubicación geográfica, recomendamos que seleccione: .
También puede seleccionar uno de estos países/idiomas:
Cómo obtener el mejor rendimiento
Seleccione China (en idioma chino o inglés) para obtener el mejor rendimiento. Los sitios web de otros países no están optimizados para ser accedidos desde su ubicación geográfica.
América
- América Latina (Español)
- Canada (English)
- United States (English)
Europa
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)