You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 63 Next »

Invoking getc() and putc() with stream arguments that have side effects may cause unexpected results because these functions may be implemented as unsafe macros. The stream arguments to these macros may be evaluated more than once. See PRE31-C. Do not perform side effects in arguments to unsafe macros for more information.

This does not apply to the character argument in putc(), which is guaranteed to be evaluated exactly once.

Noncompliant Code Example (getc())

This code calls the getc() function with an expression as the stream argument. If getc() is implemented as a macro, the file may be opened several times. (See FIO31-C. Do not open a file that is already open.)

#include <stdio.h>
 
void func(const char *file_name) {
  FILE *fptr;

  int c = getc(fptr = fopen(file_name, "r"));
  if (c == EOF) {
    /* Handle error */
  }

  fclose(fptr);
}

This noncompliant code example also violates FIO33-C. Detect and handle input output errors resulting in undefined behavior because the value returned by fopen() is not checked for errors.

Compliant Solution (getc())

In this compliant solution, getc() is no longer called with an expression as its argument, and the value returned by fopen() is checked for errors:

#include <stdio.h>
 
void func(const char *file_name) {
  int c;
  FILE *fptr;

  fptr = fopen(file_name, "r");
  if (fptr == NULL) {
    /* Handle error */
  }

  c = getc(fptr);
  if (c == EOF) {
    /* Handle error */
  }

  fclose(fptr);
}

Noncompliant Code Example (putc())

In this noncompliant example, putc() is called with an expression as the stream argument. If putc() is implemented as a macro, the expression can be evaluated several times within the macro expansion of putc() with unintended results.

#include <stdio.h>
 
void func(const char *file_name) {
  FILE *fptr = NULL;
  int c = 'a';
 
  while (c <= 'z') {
    if (putc(c++, fptr ? fptr :
         (fptr = fopen(file_name, "w")) == EOF) {
      /* Handle error */
    }
  }

  fclose(fptr);
}

If the putc() macro evaluates its stream argument multiple times, this might still seem safe, as the ternary conditional expression ostensibly prevents multiple calls to fopen(). However, there is no guarantee that these calls would happen in distinct sequence points. Consequently, this code also violates EXP30-C. Do not depend on order of evaluation for side effects.

Compliant Solution (putc())

In the compliant solution, the stream argument to putc() no longer has side effects:

#include <stdio.h>
 
void func(const char *file_name) {
  int c = 'a'; 
  FILE *fptr = fopen(file_name, "w");
 
  if (fptr == NULL) {
    /* Handle error */
  }

  while (c <= 'z') {
    if (putc(c++, fptr) == EOF) {
      /* Handle error */
    }
  }

  fclose(fptr);
}

The c++ is perfectly safe because putc() guarantees to evaluate its character argument exactly once.

This example shows only the side-effect issue. The output differs depending on the character set. Consequently, it is important to make no assumptions about the order of the letters. For example, when run on a machine using an ASCII-derived code set such as ISO-8859 or Unicode, this code sample will print out the 26 lowercase letters of the English alphabet. However, if run with an EBCDIC-based code set, such as Codepage 037 or Codepage 285, punctuation marks or symbols may be output between the letters.

Risk Assessment

Using an expression that has side effects as the stream argument to getc() or putc() can result in unexpected behavior and possibly abnormal program termination.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO41-C

Low

Unlikely

Medium

P2

L3

Automated Detection

Tool

Version

Checker

Description

LDRA tool suite

9.7.1

9 S

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

 


 

  • No labels