Page History

C99 \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.5.2.2 says (see also [undefined behavior 35 | CC. Undefined Behavior#ub_35] of Annex J):

If an attempt is made to modify the result of a function call or to access it after the next sequence point, the behavior is undefined.

(See also undefined behavior 35 of Annex J.)

C functions may not return arrays; however, they may return structs or unions that contain arrays.

...

1. In C, the lifetime of a return value ends at the next sequence point. Consequently by the time printf() is called, the struct returned by the addressee() call is no longer considered valid, and may have been overwritten.
2. C function arguments are passed by value. As a result, copies are made of all objects generated by the arguments. For example, a copy is made of the pointer to "Hello, %s!\n". Under most circumstances, these copies protect you from the effects of sequence points described earlier.
3. Finally, C implicitly converts arrays to pointers when passing them as function arguments. This means that a copy is made of the pointer to the addresee().a array, and that pointer copy is passed to printf(). But the array data itself is not copied , and may no longer exist when printf() is called.

Consequently, when printf() tries to dereference the pointer passed as its 2nd argument, it is likely to find garbage.

...

Automated Detection

Splint Version 3.1.1 can detect violations of this rule.

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...