Expressions that have an integral type can be added to or subtracted from a pointer, resulting in a value of the pointer type. If the resulting pointer would is not be a valid member of the container, or one past the last element of the container, the behavior of the additive operator is undefined. The C++ Standard, [expr.add], paragraph 5 [ISO/IEC 14882-2014], states, in part:
If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined.
Since Because iterators are a generalization of pointers, the same constraints apply to additive operators with random access iterators. Specifically, the C++ Standard, [iterator.requirements.general], paragraph 5, states:
...
In this noncompliant code example, a random access iterator from a std::vector is used in an additive expression, but the resulting value could be outside of the bounds of the container , and not a past-the-end value.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <vector>
void f(const std::vector<int> &C) {
for (auto I = C.begin(), E = I + 20; I != E; ++I) {
std::cout << *I << std::endl;
}
} |
...
This compliant solution assumes that the programmer's intention was to process up to twenty 20 items in the container. Instead of assuming all containers will have twenty 20 or more elements, the size of the container is used to determine the upper bound on the addition.
...
This compliant solution also uses a named constant value in compliance with DCL06-CPP. Use meaningful symbolic constants to represent literal values in program logic.
...
Noncompliant Code Example (Linear Address Space)
In this noncompliant code example, an attempt is made to determine if a pointer addition will cause a linear address space wraparound:
...
This code resembles the test for wraparound from the sprint() function as implemented for the Plan 9 operating system. If buf + len < buf evaluates to true, len is assigned the remaining space , minus one byte. However, because the expression buf + len < buf constitutes undefined behavior, compilers can assume this condition will never occur and optimize away the entire conditional statement.
...
This compliant solution works on architectures that provide a linear address space. Some word-oriented machines are likely to produce a word address with the high-order bits used as a byte selector, in which case this solution will fail. Consequently, this solution is not a portable solution.
Risk Assessment
If adding or subtracting an integer to a pointer results in a reference to an element outside the array or one past the last element of the array object, the behavior is undefined , but frequently leads to a buffer overflow or buffer underrun, which can often be exploited to run arbitrary code. Iterators and STL standard template library containers exhibit the same behavior and caveats as pointers and arrays.
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...