Do not invoke getc() or putc() or their wide-character analogues getwc() and putwc() with stream arguments that have side effects. The stream arguments to these macros may be evaluated more than once if these functions are implemented as unsafe macros. See PRE31-C. Do not perform side effects in arguments to unsafe macros for more information.
This rule does not apply to the character argument in putc() or the wide-character argument in putwc() which is guaranteed to be evaluated exactly once.
Noncompliant Code Example (getc())
This code calls the getc() function with an expression as the stream argument. If getc() is implemented as a macro, the file may be opened multiple times. (See FIO31-C. Do not open a file that is already open.)
#include <stdio.h>
void func(const char *file_name) {
FILE *fptr;
int c = getc(fptr = fopen(file_name, "r"));
if (feof(stdin) || ferror(stdin)) {
/* Handle error */
}
if (fclose(fptr) == EOF) {
/* Handle error */
}
}
This noncompliant code example also violates ERR33-C. Detect and handle standard library errors because the value returned by fopen() is not checked for errors.
Compliant Solution (getc())
In this compliant solution, fopen() is called before getc() and its return value is checked for errors:
#include <stdio.h>
void func(const char *file_name) {
int c;
FILE *fptr;
fptr = fopen(file_name, "r");
if (fptr == NULL) {
/* Handle error */
}
c = getc(fptr);
if (feof(stdin) || ferror(stdin)) {
/* Handle error */
}
if (fclose(fptr) == EOF) {
/* Handle error */
}
}
Noncompliant Code Example (putc())
In this noncompliant example, putc() is called with an expression as the stream argument. If putc() is implemented as a macro, this expression can be evaluated multiple times.
#include <stdio.h>
void func(const char *file_name) {
FILE *fptr = NULL;
int c = 'a';
while (c <= 'z') {
if (putc(c++, fptr ? fptr :
(fptr = fopen(file_name, "w")) == EOF) {
/* Handle error */
}
}
if (fclose(fptr) == EOF) {
/* Handle error */
}
}
If the putc() macro evaluates its stream argument multiple times, this might still seem safe, as the ternary conditional expression ostensibly prevents multiple calls to fopen(). However, there is no guarantee that these calls would happen in distinct sequence points. Consequently, this code also violates EXP30-C. Do not depend on order of evaluation for side effects. This code also violates ERR33-C. Detect and handle standard library errors because it fails to check the return value from fopen().
Compliant Solution (putc())
In the compliant solution, the stream argument to putc() no longer has side effects:
#include <stdio.h>
void func(const char *file_name) {
int c = 'a';
FILE *fptr = fopen(file_name, "w");
if (fptr == NULL) {
/* Handle error */
}
while (c <= 'z') {
if (putc(c++, fptr) == EOF) {
/* Handle error */
}
}
if (fclose(fptr) == EOF) {
/* Handle error */
}
}
The expression c++ is perfectly safe because putc() guarantees to evaluate its character argument exactly once.
This example shows only the side-effect issue. The output differs depending on the character set. Consequently, it is important to not make assumptions about the order of the letters. For example, when run on a machine using an ASCII-derived code set such as ISO-8859 or Unicode, this solution will print out the 26 lowercase letters of the English alphabet. However, if run with an EBCDIC-based code set, such as Codepage 037 or Codepage 285, punctuation marks or symbols may be output between the letters.
Risk Assessment
Using an expression that has side effects as the stream argument to getc() or putc() can result in unexpected behavior and possibly abnormal program termination.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO41-C | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
| 9.7.1 | 9 S | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines