SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 46

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

Expressions that have an integral type can be added to or subtracted from a pointer, resulting in a value of the pointer type. If the resulting pointer is not a valid member of the container, or one past the last element of the container, the behavior of the additive operator is undefined. The C++ Standard, [expr.add], paragraph 5 [ISO/IEC 14882-2014], states, in part in part, states the following:

If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined.

Because iterators are a generalization of pointers, the same constraints apply to additive operators with random access iterators. Specifically, the C++ Standard, [iterator.requirements.general], paragraph 5, states the following:

Just as a regular pointer to an array guarantees that there is a pointer value pointing past the last element of the array, so for any iterator type there is an iterator value that points past the last element of a corresponding sequence. These values are called past-the-end values. Values of an iterator i for which the expression *i is defined are called dereferenceable. The library never assumes that past-the-end values are dereferenceable.

...

In this noncompliant code example, a random access iterator from a std::vector is used in an additive expression, but the resulting value could be outside the bounds of the container rather than a past-the-end value:.

Code Block
bgColor#ffcccc
langcpp
#include <iostream>
#include <vector>
 
void f(const std::vector<int> &c) {
  for (auto i = c.begin(), e = i + 20; i != e; ++i) {
    std::cout << *i << std::endl;
  }
}

...

If adding or subtracting an integer to a pointer results in a reference to an element outside the array or one past the last element of the array object, the behavior is undefined but frequently leads to a buffer overflow or buffer underrun, which can often be exploited to run arbitrary code. Iterators and standard template library containers exhibit the same behavior and caveats as pointers and arrays.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

CTR55-CPP

High

Likely

Medium

No

No

P18

P9

L1

L2

Automated Detection

Tool

Version

Checker

Description

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF3526, DF3527, DF3528, DF3529, DF3530, DF3531, DF3532, DF3533, DF3534


Klocwork
Include Page
Klocwork_V
Klocwork_V

ITER.ADVANCE.NONADJACENT


LDRA tool suite
Include Page
LDRA_V
LDRA_V

567 S

Enhanced Enforcement

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_CPP-CTR55-a

Do not add or subtract a constant with a value greater than one from an iterator

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: CTR55-CPPChecks for possible iterator overflows (rule partially covered).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C Coding Standard ARR30-C. Do not form or use out-of-bounds pointers or array subscripts
MITRE CWECWE 129, Unchecked Array Indexing

Bibliography

[Banahan
03
2003]Section 5.3, "Pointers"
Section 5.7, "Expressions Involving Pointers"
[ISO/IEC 14882-2014]

Subclause 5.7, "Additive Operators"
Subclause 24.2.1, "In General"

[VU#162289]
 

...



...

Image Modified Image Modified Image Modified