An object of type
void * is a generic data pointer. It can point to any data object. For any incomplete or object type
T, C permits implicit conversion from
T * to
void * or from
void * to
T *. C Standard memory allocation functions
void * to declare parameters and return types of functions designed to work for objects of different types.
For example, the C library declares
malloc(s) allocates memory for an object whose size is
s and returns either a null pointer or a pointer to the allocated memory. A program can implicitly convert the pointer that
malloc() returns into a different pointer type.
Because objects returned by the C Standard memory allocation functions are implicitly converted into any object type, we recommend casting the results of these functions into a pointer of the allocated type because it increases the chances that the compiler will catch and diagnose a mismatch between the intended type of the object and the actual type of the object.
Noncompliant Code Example
The argument to
malloc() can be any value of (unsigned) type
size_t. If the program uses the allocated storage to represent an object (possibly an array) whose size is greater than the requested size, the behavior is undefined. The implicit pointer conversion lets this slip by without complaint from the compiler.
Consider the following example:
An implementation may add padding to a gadget or widget so that
sizeof(widget), but this is highly unlikely. More likely,
sizeof(gadget) is less than
sizeof(widget). In that case,
p to point to storage too small for a widget. The subsequent assignments to
p->d will most likely produce memory overruns.
Casting the result of
malloc() to the appropriate pointer type enables the compiler to catch subsequent inadvertent pointer conversions. When allocating individual objects, the "appropriate pointer type" is a pointer to the type argument in the
sizeof expression passed to
In this code example,
malloc() allocates space for a
gadget, and the cast immediately converts the returned pointer to a
This lets the compiler detect the invalid assignment because it attempts to convert a
gadget * into a
Compliant Solution (Hand Coded)
This compliant solution repeats the same type in the
sizeof expression and the pointer cast:
Compliant Solution (Macros)
Repeating the same type in the
sizeof expression and the pointer cast is easy to do but still invites errors. Packaging the repetition in a macro, such as
further reduces the possibility of error.
Here, the entire allocation expression (to the right of the assignment operator) allocates storage for a
widget and returns a
widget *. If
p were not a
widget *, the compiler would complain about the assignment.
When allocating an array with
N elements of type
T, the appropriate type in the cast expression is still
T *, but the argument to
malloc() should be of the form
N * sizeof(T). Again, packaging this form as a macro, such as
reduces the chance of error in an allocation expression.
A small collection of macros can provide secure implementations for common uses for the standard memory allocation functions. The omission of a
REALLOC() macro is intentional (see EXP39-C. Do not access a variable through a pointer of an incompatible type).
The following is an example:
If one or more of the operands to the multiplication operations used in many of these macro definitions can be influenced by untrusted data, these operands should be checked for overflow before the macro is invoked (see INT32-C. Ensure that operations on signed integers do not result in overflow).
The use of type-generic function-like macros is an allowed exception (PRE00-C-EX4) to PRE00-C. Prefer inline or static functions to function-like macros.
MEM02-C-EX1: Do not immediately cast the results of
malloc() for code that will be compiled using a C90-conforming compiler because it is possible for the cast to hide a more critical defect (see DCL31-C. Declare identifiers before using them for a code example that uses
malloc() without first declaring it).
Failing to cast the result of a memory allocation function call into a pointer to the allocated type can result in inadvertent pointer conversions. Code that follows this recommendation will compile and execute equally well in C++.
|Axivion Bauhaus Suite|
Can detect some violations of this recommendation when checking EXP36-C. Do not cast pointers into more strictly aligned pointer types
Assignment operator should have operands of compatible types
|Polyspace Bug Finder|
Allocated memory does not match destination pointer
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
|SEI CERT C++ Coding Standard||VOID MEM02-CPP. Immediately cast the result of a memory allocation function call into a pointer to the allocated type|