Running clang-tidy on a program that uses getopt() from nolibc
this warning appears:

getopt.h:80:6: warning: Out of bound access to memory after the end of the string literal [clang-analyzer-security.ArrayBound]
80 |         if (optstring[i] == ':') {

Claude was asked for a reproducer and the human fixed up version
looks like this:

int main(int argc, char **argv, char **envp)
{
        char arg[]  = "-ab";
        char *_argv[] = { "prog", arg, NULL };

        char *optstring = "ab";

        int c = getopt(2, _argv, optstring);
        printf("call 1: '%c'\n", c);

        arg[2] = '\0';

        c = getopt(2, _argv, optstring);
        printf("call 2: '%c'\n", c);

        return 0;
}

This looks like a very unlikely case that an argument
inside of argv is being changed between getopt() calls.

Claude suggests using `-fsanitize=address` to detect the issue
but that doesn't work for nolibc so lets do it manually with
gdb:

Breakpoint 1, getopt (argc=2, argv=0x7fffffffdb20, optstring=0x55555555c0ac "ab") at ./../cleantrees/linux-nolibc/tools/include/nolibc/getopt.h:80
80              if (optstring[i] == ':') {
(gdb) print i
$2 = 3

The length of optstring is 3 and we are accessing the 4th byte.

Adding a check for d becoming 0 in the guard after the loop
stops getopt() getting far enough to access beyond the end
of the array and seems to correct the issue.

This probably isn't fixing a real world issue but it stops
people seeing the scary warning from clang-tidy.

Assisted-by: Claude:claude-4.6-sonnet # reproducer
Signed-off-by: Daniel Palmer <daniel@thingy.jp>
---

While test the other things I am working on with nolibc
I found this. It doesn't look like it needs a name and its
own website but seems to be a valid bug.

 tools/include/nolibc/getopt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/include/nolibc/getopt.h b/tools/include/nolibc/getopt.h
index 87565e3b6a33..3ad140f692df 100644
--- a/tools/include/nolibc/getopt.h
+++ b/tools/include/nolibc/getopt.h
@@ -71,7 +71,7 @@ int getopt(int argc, char * const argv[], const char *optstring)
 		d = optstring[i++];
 	} while (d && d != c);
 
-	if (d != c || c == ':') {
+	if (!d || d != c || c == ':') {
 		optopt = c;
 		if (optstring[0] != ':' && opterr)
 			fprintf(stderr, "%s: unrecognized option: %c\n", argv[0], *optchar);
-- 
2.53.0

Hi Daniel,

On 2026-05-20 20:19:31+0900, Daniel Palmer wrote:
> Running clang-tidy on a program that uses getopt() from nolibc
> this warning appears:
> 
> getopt.h:80:6: warning: Out of bound access to memory after the end of the string literal [clang-analyzer-security.ArrayBound]
> 80 |         if (optstring[i] == ':') {
> 
> Claude was asked for a reproducer and the human fixed up version
> looks like this:

Thanks for the report and patch!

(...)

> Claude suggests using `-fsanitize=address` to detect the issue
> but that doesn't work for nolibc so lets do it manually with
> gdb:

It works fine to copy the nolibc getopt() implementation into a new
normal source file and compile it with asan there.
That reproduces the issue and confirms the fix.

I'll apply your fix with a trimmed commit message.

(...)


Thomas