Invalid use of standard library string routine

Standard library string function called with invalid arguments

expand all in page

Description

This defect occurs when a string library function is called with invalid arguments.

Risk

The risk depends on the type of invalid arguments. For instance, using the strcpy function with a source argument larger than the destination argument can result in buffer overflows.

Fix

The fix depends on the standard library function involved in the defect. In some cases, you can constrain the function arguments before the function call. For instance, if the strcpy function:

char * strcpy(char * destination, const char* source)

tries to copy too many bytes into the destination argument compared to the available buffer, constrain the source argument before the call to strcpy. In some cases, you can use an alternative function to avoid the error. For instance, instead of strcpy, you can use strncpy to control the number of bytes copied.

See examples of fixes below.

If you do not want to fix the issue, add comments to your result or code to avoid another review. See:

Address Results in Polyspace User Interface Through Bug Fixes or Justifications if you review results in the Polyspace user interface.
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser.
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE.

Examples

Invalid Use of Standard Library String Routine Error

 #include <string.h>
 #include <stdio.h>
 
 char* Copy_String(void)
 {
  char *res;
  char gbuffer[5],text[20]="ABCDEFGHIJKL";

  res=strcpy(gbuffer,text); 
  /* Error: Size of text is less than gbuffer */

  return(res);
 }

The string text is larger in size than gbuffer. Therefore, the function strcpy cannot copy text into gbuffer.

Correction — Use Valid Arguments

One possible correction is to declare the destination string gbuffer with equal or larger size than the source string text.

#include <string.h>
 #include <stdio.h>
 
 char* Copy_String(void)
 {
  char *res;
  /*Fix: gbuffer has equal or larger size than text */
  char gbuffer[20],text[20]="ABCDEFGHIJKL";

  res=strcpy(gbuffer,text);

  return(res);
 }

Result Information

Group: Static memory

Language: C | C++

Default: On

Command-Line Syntax: STR_STD_LIB

Impact: High

Version History

Introduced in R2013b

R2021b: Checker flags invalid use of C++ `std::string` methods

The checker now checks C++ std::string methods:

For methods that take a const char* argument str, the check raises a defect if str is NULL or points to an invalid string.
For instance:
```
   std::string str = "";
   const char txt[3] = {'n','o','p'};
   str.append(txt);  //txt is not a valid string
```
For methods that take a const char* argument str and a size_t argument n, the check raises a defect if str is NULL or points to an buffer of more than n characters.
For instance:
```
    std::string str = "";
    const char txt[3] = {'n','o','p'}; 
    str.append(txt,4); //txt points to a 3-character buffer
```

See Also

Find defects (-checkers) | Invalid use of standard library memory routine

Topics