When two pointers are subtracted, both must point to elements of the same array object or to just one past the last element of the array object (C Standard, Section 6.5.6 7 [ISO/IEC 9899:20112024]); the result is the difference of the subscripts of the two array elements. Otherwise, the operation results in is undefined behavior. (See undefined behavior 48 of Appendix J.) This restriction exists because pointer subtraction in C produces the number of objects between the two pointers, not the number of bytes.45.)
Similarly, comparing pointers using the relational operators <, <=, >=, and > gives the positions of the pointers relative to each other. Subtracting or comparing pointers that do not refer to the same array
...
is undefined behavior. (See undefined behavior
...
45 and undefined behavior
...
50.)
Comparing pointers using the equality operators == and != has well-defined semantics regardless of whether or not either of the pointers is null, points into the same object, or points one past the last element of an array object or function.It is acceptable to subtract or compare two member pointers within a single struct object, suitably cast because any object can be treated as an array of unsigned char. However, when doing so remember to account for the effects of alignment and padding on the structure.
Noncompliant Code Example
In this noncompliant code example, pointer subtraction is used to determine how many free elements are left in the nums array.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stddef.h> enum { SIZE = 32 }; void func(void) { int nums[SIZE]; char *strings[SIZE] int end; int *next_num_ptr = nums; int size_t free_byteselements; /* incrementIncrement next_num_ptr as array fills */ free_byteselements = strings &end - (char **)next_num_ptr; } |
This program incorrectly assumes that the nums array is adjacent to the end variable in memory. A compiler is permitted to insert padding bits between these two variables or even reorder them in memoryThe first incorrect assumption is that the nums and strings arrays are necessarily contiguous in memory. The second is that free_bytes is the number of bytes available. The subtraction returns the number of elements between next_num_ptr and strings.
Compliant Solution
In this compliant solution, the number of free elements is kept as a counter and adjusted on every array operation. It is also calculated in terms of free elements instead of bytes. This prevents further mathematical errorscomputed by subtracting next_num_ptr from the address of the pointer past the nums array. While this pointer may not be dereferenced, it may be used in pointer arithmetic.
| Code Block | ||||
|---|---|---|---|---|
| ||||
int nums[SIZE]; char *strings#include <stddef.h> enum { SIZE = 32 }; void func(void) { int nums[SIZE]; int *next_num_ptr = nums; int size_t free_byteselements; /* incrementIncrement next_num_ptr as array fills */ free_byteselements = (&(nums[SIZE]) - next_num_ptr) * sizeof(int); } |
Exceptions
ARR36-C-EX1: Comparing two pointers within to distinct members of the same struct object is allowed.
ARR36-EX2: Subtracting two pointers to char within the same object is allowed. Pointers to structure members declared later in the structure compare greater-than pointers to members declared earlier in the structure.
Risk Assessment
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
ARR36-C | Medium |
Probable |
No |
No |
P4 |
L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| pointer-subtraction | Partially checked | ||||||
| Axivion Bauhaus Suite |
| CertC-ARR36 | Can detect operations on pointers that are unrelated | ||||||
| CodeSonar |
| LANG.STRUCT.CUP LANG.STRUCT.SUP | Comparison of Unrelated Pointers Subtraction of Unrelated Pointers | ||||||
| Coverity |
| MISRA C 2004 17.2 MISRA C 2004 17.3 MISRA C 2012 18.2 MISRA C 2012 18.3 | Implemented | ||||||
| Cppcheck |
| comparePointers | |||||||
| Cppcheck Premium |
| comparePointers | |||||||
| Helix QAC |
| C0487, C0513 DF2668, DF2669, DF2761, DF2762, DF2763, DF2766, DF2767, DF2768, DF2771, DF2772, DF2773 | |||||||
| Klocwork |
| MISRA.PTR.ARITH | |||||||
| LDRA tool suite |
| 437 S, 438 S | Fully implemented |
0487
2771
| Parasoft C/C++test |
| CERT_C-ARR36-a CERT_C-ARR36-b | Do not subtract two pointers that do not address elements of the same array | ||||||
| Checks for subtraction or comparison between pointers to different arrays (rule partially covered) | ||||||||
| PVS-Studio |
| V736, V782 | |||||||
| RuleChecker |
| pointer-subtraction | Partially checked | ||||||
| Security Reviewer - Static Reviewer | 6.02 | C24 C107 | Fully Implemented | ||||||
| TrustInSoft Analyzer |
| differing_blocks | Exhaustively verified (see the compliant and the non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C |
| CTR54-CPP. Do not subtract |
| iterators that do not refer to the same |
| container | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 |
| Subtracting or comparing two pointers that do not refer to the same array [ptrobj] |
| Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CWE 2.11 | CWE-469, Use of Pointer Subtraction to Determine Size | 2017-07-10: CERT: Exact |
| CWE 3.11 | CWE-469, Use of |
| Pointer Subtraction to Determine Size | 2018-10-18:CERT:CWE subset of rule |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-469 and ARR36-C
CWE-469 = Subset(ARR36-C)
ARR36-C = Union(CWE-469, list) where list =
- Pointer comparisons using the relational operators
<,<=,>=, and>, where the pointers do not refer to the same array
Bibliography
...
| [ISO/IEC 9899:2024] | 6.5.7, "Additive Operators" |
...