Page History

As Do not invoke getc() and putc() may be implemented as macros, calling them with parameters that have side effects may cause unexpected results, since the argument code could be evaluated multiple times.

Non-Compliant Code Example: getc()

or putc() or their wide-character analogues getwc() and putwc() with a stream argument that has side effects. The stream argument passed to these macros may be evaluated more than once if these functions are implemented as unsafe macros. (See PRE31-C. Avoid side effects in arguments to unsafe macros for more information.)

This rule does not apply to the character argument in putc() or the wide-character argument in putwc(), which is guaranteed to be evaluated exactly once.

Noncompliant Code Example (getc())

This noncompliant code example This code calls the getc() function with an expression as an the stream argument. If getc() is implemented as a macro expansion, the file may be opened several multiple times. (see FIO31See FIO24-C. Do not simultaneously open a file multiple times).that is already open.)

#include <stdio.h>
 
void func(const char *file_name) {
  
char const *filename = "test.txt"; 
FILE *fptr;

 
 
int c = getc(fptr = fopen(filenamefile_name, "r"));
  if (feof(fptr) || ferror(fptr)) {
    /* Handle error */
  }

  if (fclose(fptr) == EOF) {
    /* Handle error */
  }
}

This noncompliant code example also violates ERR33-C. Detect and handle standard library errors because the value returned by fopen() is not checked for errors.

Compliant Solution

...

(getc())

In this compliant solution, getcfopen() is no longer called with an expression as its argument.called before getc() and its return value is checked for errors:

#include <stdio.h>
 
void func(const char *file_name) {
  int c;
  FILE *fptr;

  
char const *filename = "test.txt"; 
FILE *fptr = fopen(filenamefile_name, "r");
  if (fptr == NULL) {
    /* Handle error */
  }
int
  c = getc(fptr);
  if (c == EOF) {
    /* Handle error */
  }

  if (fclose(fptr) == EOF) {
    /* Handle error */

...

  }
}

Noncompliant Code Example

...

(putc())

In this non-compliant noncompliant example, putc() is called with c++ as an an expression as the stream argument. If putc() is implemented as a macro, c++ could this expression might be evaluated several times "within" putc(), causing unintended resultsmultiple times.

char #include <stdio.h>
 
void func(const *filename = "test.txt";
char *file_name) {
  FILE *fptr = fopen(filename, "w")NULL;

  int c = 97'a';
 
  while (c <= 123'z') {
    if (putc(c++, fptr ? fptr :
         (fptr);
}

Compliant Solution: putc()

 = fopen(file_name, "w"))) == EOF) {
      /* Handle error */
    }
  }

  if (fclose(fptr) == EOF) {
    /* Handle error */
  }
}

This noncompliant code example might appear safe even if the putc() macro evaluates its stream argument multiple times, as the ternary conditional expression ostensibly prevents multiple calls to fopen(). However, the assignment to fptr and the evaluation of fptr as the controlling expression of the ternary conditional expression can take place between the same sequence points, resulting in undefined behavior 34 (a violation of EXP30-C. Do not depend on the order of evaluation for side effects). This code also violates ERR33-C. Detect and handle standard library errors because it fails to check the return value from fopen().

Compliant Solution (putc())

In this compliant solution, the stream argument to putc() no longer has side effects:In the compliant solution, c++ is no longer an argument to putc().

#include <stdio.h>
 
void func(const char *file_name) {
  int c = 'a'; 
  
char const *filename = "test.txt";
FILE *fptr = fopen(filenamefile_name, "w");
 
int c = 97;

while  if (fptr == NULL) {
    /* Handle error */
  }

  while (c <= 123'z') {
    if (putc(c++, fptr) == EOF) {
      /* Handle error */
    }
  }

  if (fclose(fptr);) == EOF) {
    /* Handle error */
  c++;
}
}
}

The expression c++ is perfectly safe because putc() guarantees to evaluate its character argument exactly once.

NOTE: The output of this compliant solution differs depending on the character set. For example, when run on a machine using an ASCII-derived code set such as ISO-8859 or Unicode, this solution will print out the 26 lowercase letters of the English alphabet. However, if run with an EBCDIC-based code set, such as Codepage 037 or Codepage 285, punctuation marks or symbols may be output between the letters.

Risk Assessment

Using an expression that has side effects as the stream argument to getc(), putc(), or putcgetwc() could can result in unexpected behavior and abnormal program termination.

Automated Detection

References

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

...

Image Added Image Added Image Added Wiki Markup\[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 7.19.7.5, "The {{getc}} function"; 7.19.7.8, "The {{putc}} function"