False Negative:ArrayIndexOutOfBounds.ql #21528
Description
Version
codeql 2.23.9
When I detect the code like this using Likely Bugs/Collections/ArrayIndexOutOfBounds.ql, the problem is reported normally:
package scensct.core.pos;
public class PosCase1 {
public static void main(String[] args) {
int[] arr = new int[5];
int index = 10; // Unbounded index, no constraint check before access
int value = arr[index]; // Direct access with potentially out-of-bounds index // [REPORTED LINE]
}
}However, when I use a mediator variable or call a mediator function, ArrayIndexOutOfBounds.ql fails to detect the problem:
package scensct.var.pos;
public class PosCase1_Var4 {
public static void main(String[] args) {
int[] arr = createArray();
int index = getIndex();
int value = arr[index]; // Access with index from method
}
private static int[] createArray() {
return new int[5];
}
private static int getIndex() {
return 10;
}
}package scensct.var.pos;
public class PosCase2_Var4 {
public static void main(String[] args) {
int[] arr = new int[5];
int K = 5;
// Introduce an alias reference
int[] alias = arr;
int index = K;
int value = alias[index];
}
}package scensct.var.pos;
public class PosCase2_Var5 {
private static int getIndex(int k) {
return k;
}
public static void main(String[] args) {
int[] arr = new int[5];
int K = 5;
// Move index computation to a helper method
int index = getIndex(K);
int value = arr[index];
}
}package scensct.core.pos;
public class PosCase3 {
public static void main(String[] args) {
int[] arr = new int[5];
int K = -1; // Negative bound
int index = K + 0; // Index bounded below by negative K
int value = arr[index]; // Access with potentially negative index
}
}