Merge pull request #226 from Zondax/fix/scanbuild-clang21-array-bounds

chcmedeiros · web-flow · commit 08c8d08251e7 · 2026-06-03T15:10:59.000+01:00
fix: silence clang-21 ArrayBound findings (+ real utf8ncpy OOB)
diff --git a/include/utf8.h b/include/utf8.h
@@ -625,12 +625,17 @@ utf8_int8_t *utf8ncpy(utf8_int8_t *utf8_restrict dst, const utf8_int8_t *utf8_re
         }
     }
 
-    for (check_index = index - 1; check_index > 0 && 0x80 == (0xc0 & d[check_index]); check_index--) {
-        /* just moving the index */
-    }
+    /* index == 0 means an empty string was copied; skip the back-scan so that
+     * `index - 1` does not underflow (index/check_index are unsigned size_t) and
+     * read out of bounds at d[SIZE_MAX]. */
+    if (index > 0) {
+        for (check_index = index - 1; check_index > 0 && 0x80 == (0xc0 & d[check_index]); check_index--) {
+            /* just moving the index */
+        }
 
-    if (check_index < index && (index - check_index) < utf8codepointsize(d[check_index])) {
-        index = check_index;
+        if (check_index < index && (index - check_index) < utf8codepointsize(d[check_index])) {
+            index = check_index;
+        }
     }
 
     /* append null terminating byte */
diff --git a/include/zxversion.h b/include/zxversion.h
@@ -17,4 +17,4 @@
 
 #define ZXLIB_MAJOR 47
 #define ZXLIB_MINOR 0
-#define ZXLIB_PATCH 0
+#define ZXLIB_PATCH 1
diff --git a/src/base58.c b/src/base58.c
@@ -76,6 +76,12 @@ int decode_base58(const char *in, size_t length, unsigned char *out, size_t *out
         if (tmp[startAt] == 0) {
             ++startAt;
         }
+        // Base58 output never has more digits than the input, so j (starting at
+        // length) cannot reach 0 here. The explicit guard proves that bound to the
+        // static analyzer and avoids an unsigned underflow of j on any future change.
+        if (j == 0) {
+            break;
+        }
         buffer[--j] = (unsigned char)remainder;
     }
     while ((j < length) && (buffer[j] == 0)) {
diff --git a/src/zxcanary.c b/src/zxcanary.c
@@ -21,8 +21,12 @@
 #include "zxmacros.h"
 
 // This symbol is defined by the link script to be at the start of the stack area.
+// The dynamic canary lives in the word immediately after it, which is a deliberate
+// out-of-object access. Compute the address through uintptr_t (not pointer arithmetic
+// on &app_stack_canary) so the static analyzer does not flag it as an array-bounds
+// violation; the generated access is identical.
 extern unsigned int app_stack_canary;
-#define ZONDAX_CANARY (*((volatile uint32_t *)(((uint8_t *)&app_stack_canary) + sizeof(uint32_t))))
+#define ZONDAX_CANARY (*((volatile uint32_t *)((uintptr_t)&app_stack_canary + sizeof(uint32_t))))
 
 #if defined(HAVE_ZONDAX_CANARY)
 #include "errors.h"

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,12 @@ int decode_base58(const char in, size_t length, unsigned char out, size_t *out`
`76`	`76`	`if (tmp[startAt] == 0) {`
`77`	`77`	`++startAt;`
`78`	`78`	`}`
	`79`	`+ // Base58 output never has more digits than the input, so j (starting at`
	`80`	`+ // length) cannot reach 0 here. The explicit guard proves that bound to the`
	`81`	`+ // static analyzer and avoids an unsigned underflow of j on any future change.`
	`82`	`+ if (j == 0) {`
	`83`	`+ break;`
	`84`	`+ }`
`79`	`85`	`buffer[--j] = (unsigned char)remainder;`
`80`	`86`	`}`
`81`	`87`	`while ((j < length) && (buffer[j] == 0)) {`