Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: Parsing C++ - 10.10

>
>
>
V1010. Unchecked tainted data is used i…
menu mobile close menu
Analyzer diagnostics
General Analysis (C++)
General Analysis (C#)
General Analysis (Java)
Micro-Optimizations (C++)
Diagnosis of 64-bit errors (Viva64, C++)
Customer specific requests (C++)
MISRA errors
AUTOSAR errors
OWASP errors (C#)
Problems related to code analyzer
Additional information
toggle menu Contents

V1010. Unchecked tainted data is used in expression.

May 11 2018

The analyzer has detected the use of external data without preliminary check. Putting too much trust in such data may have various negative implications, including security issues.

At present, the V1010 diagnostic detects the following error patterns:

  • Unchecked tainted data is used in index.
  • Unchecked tainted data is used in the argument that is expected to contain verified data.
  • Corrupting a pointer by changing its value using unchecked tainted data.
  • Division by unchecked tainted data.

Note. Starting with the 7.32 version, users can mark functions as sources and sinks of tainted data. You can see examples of annotations here.

Each pattern is discussed in detail below.

Example of suspicious code using unchecked tainted data in index:

size_t index = 0;
....
if (scanf("%zu", &index) == 1)
{
  ....
  DoSomething(arr[index]); // <=
}

Executing this code may result in indexing beyond the bounds of the 'arr' array if the user enters a value that is negative or greater than the maximum index valid for this array.

The correct version of this code checks the value passed before indexing into the array:

if (index < ArraySize)
  DoSomething(arr[index]);

Example of suspicious code using unchecked tainted data as an argument to a function:

char buf[1024];
char username [256];
....
if (scanf("%255s", username) == 1)
{
  if (snprintf(buf, sizeof(buf) - 1, commandFormat, username) > 0)
  {
    int exitCode = system(buf); // <=
    ....
  }
  ....
}

This code is vulnerable as the program passes the user input to the command-line interpreter without checking it. For example, entering "&cmd" in Windows could give the user access to the command-line interpreter.

The correct version of the code must execute an additional check of the data read:

if (IsValid(username))
{
  if (snprintf(buf, sizeof(buf) - 1, commandFormat, username) > 0)
  {
    int exitCode = system(buf);
    ....
  }
  ....
} 
else 
{
  printf("Invalid username: %s", username);
  ....
}

Example of suspicious code with pointer corruption:

size_t offset = 0;
int *pArr = arr;
....
if (scanf("%zu", &offset) == 1)
{
  pArr += offset; // <=
  ....
  DoSomething(pArr);
}

In this example, the value of the 'pArr' pointer becomes corrupt because adding the unchecked tainted value 'offset' may cause the pointer to start referencing beyond the array bounds. This poses a risk of corrupting some data (which will be referred to by 'pArr') with unpredictable consequences.

The correct version of the code checks the validity of the offset:

if (offset <= allowableOffset)
{
  pArr += offset;
  ....
  DoSomething(pArr);
}

The example of suspicious code with division by unchecked tainted data:

if (fscanf(stdin, "%zu", &denominator) == 1)
{
  targetVal /= denominator;
}

This code may result in division by 0 if a corresponding value is entered by a user.

Correct code performs a check of values validation:

if (fscanf(stdin, "%zu", &denominator) == 1)
{
  if (denominator > MinDenominator && denominator < MaxDenominator)
  {
    targetVal /= denominator;
  }
}

This diagnostic is classified as:

You can look at examples of errors detected by the V1010 diagnostic.