Query module LengthComparisonOffByOne

name
Off-by-one comparison against length
description
An array index is compared to be less than or equal to the ‘length’ property, and then used in an indexing operation that could be out of bounds.
kind
problem
problem.severity
warning
id
js/index-out-of-bounds
tags
reliability correctness logic external/cwe/cwe-193
precision
high

Imports

javascript

Provides classes for working with JavaScript programs, as well as JSON, YAML and HTML.

Predicates

arrayLen

Gets an access to array.length.

elementRead

Holds if ea is a read from array[index] in basic block bb.

getLengthLEGuard

Gets a condition that checks that index is less than or equal to array.length.

getLengthNEGuard

Gets a condition that checks that index is not equal to array.length.