0

I am using HP Fortify to scan my code for possible errors, and this bit of code keeps being flagged as an integer overflow. However, there is no arithmetic being done to warrant an overflow, and argc is bounded by several conditional statements. Despite this, it seems Fortify does not like argc being used to allocate the size of a buffer. I don't think an integer overflow is possible then, in this case, and it may be that this issue is the result of a bug in HP Fortify. Any suggestions as to why Fortify is flagging line 9 as an integer overflow? 

  1 int main(int argc, char* argv[]) {
  2   if ((argc < 0) || (argc > 10)) {
  3     cout<< "number of arguments is invalid.";
  4     return -1;
  5   } 
  6   cout << "Number of arguments: " << argc << endl;
  7   
  8   if ((argc > 0) && (argc < 10)) {
  9     int myArray[argc]; //This line gets flagged as an integer overflow
 10   } else {
 11     cout<<"Argc is out of bounds."<<endl;
 12     return -1;
 13   } 
 14   return 0;
 15 }

It was also recommended to me in the comments that I use a dynamic array. Unfortunately this doesn't work either, as Fortify still flags the array initialization as an integer overflow.

mille271
  • 61
  • 5
  • 7
    In C++ (but not in C), the size of an array must known at compile time. If not you must use dynamic allocation. Some compiler (gcc for example) allow Variable Length Array but it's not standard. – nefas May 18 '17 at 23:33
  • maybe it is complaining that argc is signed and having a negative array size is invalid even though you tested its range, try casting to unsigned – pm100 May 18 '17 at 23:42
  • Can't you use `int *myArray = new int[argc];`? – alvits May 18 '17 at 23:47
  • 4
    Possible duplicate of [How to create a dynamic array of integers](http://stackoverflow.com/questions/4029870/how-to-create-a-dynamic-array-of-integers) – alvits May 18 '17 at 23:48
  • I think a `std::vector` would be preferable to a manually managed dynamic array, but that's not OP's problem. Not a dupe. – user4581301 May 18 '17 at 23:56
  • 2
    Not a duplicate of that question, but that does show the correct way (if you look at the non-accepted answer showing how to use `std::unique_ptr`). Except I would add that there's no reason to use `new` here. Use `std::vector`. Or, since you range-test, why not just `int myArray[10]`? – paddy May 18 '17 at 23:56
  • Unfortunately, using `int *myArray = new int[argc];` still results in Fortify flagging the line as a integer overflow. I don't think it is an issue with the compiler, as it compiles without error. Most likely it is a bug with HP Fortify. I get the same "integer overflow" error when using argc to allocate the size of a char* also. – mille271 May 22 '17 at 18:20

0 Answers0