...
In this noncompliant code example, integer values returned by parseint(getdata()) are stored into an array of INTBUFSIZE elements of type int called buf [Dowd 2006]. If data is available for insertion into buf (which is indicated by havedata()) and buf_ptr has not been incremented past buf + sizeof(buf), an integer value is stored at the address referenced by buf_ptr. However, the sizeof operator returns the total number of bytes in buf, which is typically a multiple of the number of elements in buf. This value is scaled to the size of an integer and added to buf. As a result, the check to make sure integers are not written past the end of buf is incorrect and a buffer overflow is possible.
...
A similar situation occurred in OpenBSD's make command [Murenin 2007].
Compliant Solution
To correct this example, the struct big pointer is cast as a char *. This causes skip to be scaled by a factor of 1.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 45 D | Partially implemented. | |||||||
| PRQA QA-C |
| 2930 2814 0488 | Partially Implemented
| ||||||
How long is 4 yards plus 3 feet? It is obvious from elementary arithmetic that any answer involving 7 is wrong, as the student did not take the units into account. The right method is to convert both numbers to reflect the same units.
...
ISO/IEC TR 17961 (Draft) Adding or subtracting a byte count to an element pointer [cntradd]
ISO/IEC PDTR 24772 "HFC Pointer casting and pointer type changes" and "RVG Pointer arithmetic"
MISRA Rules 17.1–17.4
MITRE CWE: CWE-468, "Incorrect pointer scaling"
Bibliography
[Dowd 2006] Chapter 6, "C Language Issues"
[Murenin 2007]
...