SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 56

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 57

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Few programmers consider the issues around formatted I/O and type definitions. A programmer-defined integer type might be any type supported by the implementation, even a type larger than unsigned long long.

...

Code Block
languagecpp
mytypedef_t x;
uintmax_t temp;

temp = x; /* alwaysAlways secure*/

/* ... changeChange the value of temp ... */

if (temp <= MYTYPEDEF_MAX) {
  x = temp;
}

...

In addition to programmer-defined types, there is no requirement that an implementation provide format-length modifiers for implementation-defined integer types. For example, a machine with an implementation-defined 48-bit integer type may not provide format-length modifiers for the type. Such a machine still must have a 64-bit long long, with intmax_t being at least that large.

...

Visual Studio 2012 and earlier versions do not support the standard  standard j length modifier or and do not have a nonstandard analogueanalog. Consequently, you the programmer must hard code the knowledge that intmax_t is int64_t and uintmax_t is uint64_t for Microsoft Visual Studio versions.

...

Code Block
bgColor#FFcccc
langc
#include <stdio.h>

mytypedef_t x;
/* ... */
if (scanf("%llu", &x) != 1) {
  /* handleHandle error */
}

This noncompliant code example can result in a buffer overflow if the size of mytypedef_t is smaller than unsigned long long, or it might result in an incorrect value if the size of mytypedef_t is larger than unsigned long long.

...

Code Block
bgColor#ccccff
langc
#include <stdio.h>
#include <inttypes.h>

mytypedef_t x;
uintmax_t temp;

/* ... */

if (scanf("%ju", &temp) != 1) {
  /* handleHandle error */
}
if (temp > MYTYPEDEF_MAX) {
  /* handleHandle error */
}
else {
  x = temp;
}

...

Visual Studio 2012 and earlier versions do not support the standard j length modifier or and do not have a nonstandard analogueanalog. Consequently, you the programmer must hard code the knowledge that intmax_t is int64_t and uintmax_t is uint64_t for Microsoft Visual Studio versions.

Code Block
bgColor#ccccff
langc
#include <stdio.h>
#include <inttypes.h>

mytypedef_t x;
uintmax_t temp;

/* ... */
#ifdef _MSC_VER
#  define UINTMAX_CS "%llu"
#else
#  define UINTMAX_CS "%ju"
#endif

if (scanf(UINTMAX_CS, &temp) != 1) {
 /* handleHandle error */
}
if (temp > MYTYPEDEF_MAX) {
  /* handleHandle error */
}
else {
  x = temp;
}

...

Tool

Version

Checker

Description

Compass/ROSE

 

 

Can catch violations of this rule by scanning the printf() and scanf() family of functions. For each such function, any variable that corresponds to a %d qualifier (or any qualifier besides %j) and that is not one of the built-in types (char, short, int, long, long long) indicates a violation of this rule. To catch violations, ROSE would also have to recognize derived types in expressions, such as size_t

LDRA tool suite

Include Page
LDRA_V
LDRA_V

439 S
440 S
586 S

Partially implemented

...