You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Two consecutive question marks signify the start of a trigraph sequence.

According to the C99 Standard:

All occurrences in a source file of the following sequences of three characters (ie. trigraph sequences) are replaced with the corresponding single character.

??=

#

 

??)

]

 

??!

|

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2950d2fa-bbf5-4c77-88d0-d7e315d2f762"><ac:plain-text-body><![CDATA[

??(

[

 

??'

^

 

??>

}

]]></ac:plain-text-body></ac:structured-macro>

??/

\

 

??<

{

 

??-

~

Non-compliant Code Example

In this non-compliant code example, a++ is not executed, as the trigraph sequence ??/ is replaced by \, logically putting a++ on the same line as the comment.

// what is the value of a now??/
a++;

Compliant Solution

The following compliant solution eliminates the accidental introduction of the trigraph.

/* what is the value of a now */
a++;

Non-compliant Code Example

This non-compliant code has the trigraph sequence of ??! included, which is replaced by the character |.

size_t i;
/* assignment of i */
if (i > 9000) {
   puts("Over 9000!??!");
}

The above code prints out Over 9000!| if a C99 Compliant compiler is used.

Compliant Solution

The compliant solution uses string concatenation to place the two question marks together, as they will be interpreted as beginning a trigraph sequence otherwise.

size_t i;
/* assignment of i */
if (i > 9000) {
   puts("Over 9000!?""?!");
}

The above code will print out Over 9000!??!, as intended.

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

PRE05-A

1 (low)

1 (unlikely)

2 (medium)

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 5.2.1.1, "Trigraph sequences"
[Wikipedia] "C Trigraphs"

  • No labels