...

the effective size of the pointer p is sizeof(arr) / sizeof(*arr), that is, 5.  The effective size of the pointer p2, is sizeof(arr), that is, 20 (on platforms where sizeof(int) == 4).  The effective size of the pointer p3 is 12 (on platforms where sizeof(int) == 4), because p3 points two elements past the start of the array arr.  The effective size of p4 is treated as though it were unsigned char * instead of void *, and so is the same as p2.

To guarantee that a standard library function does not construct an out-of-bounds pointer, programmers must heed the following rules when using functions that operate on pointed-to regions:

• Always express the integer size in terms of the effective size expected by the function.
  • Eg) memcpy() expects the effective size expressed in terms of void *, but wmemcpy() expects the effective size expressed in terms of wchar_t *.
• For calls that take a pointer and an integer size, the given size should not be greater than the effective size of the pointer.
• For calls that take a two pointers and an integer size, the given size should not be greater than the effective size of either pointer.
• For calls that take a pointer and two integers, generally accept one integer representing the size of an individual object, and a second integer representing the number of objects in the array.  The resulting product of the two integers should not be greater than the effective size of the pointer were it expressed as an unsigned char *.   See INT30-C. Ensure that unsigned integer operations do not wrap for more information.
• For standard memory allocation functions, the size (possibly scaled, as in the case of calloc()) should not be less than the desired effective size of the object being allocated were it expressed as an unsigned char *.  See MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap for more information about calloc().

Standard Library Functions

...

Standard Memory Allocation Functions

The following are the standard memory allocation functions that take a size integer argument and return a pointer.

...

Noncompliant Code Example (Effective Size)

In this noncompliant code example, the incorrect effective size is used in a call to wmemcpy().  The sizeof operator returns the size expressed in bytes, but wmemcpy() uses an effective size of wchar_t *.

#include <string.h>
#include <wchar.h>
 
static const char str[] = "Hello world";
static const wchar_t w_str[] = L"Hello world";
void func(void) {
  char buffer[32];
  wchar_t w_buffer[32];
  memcpy(buffer, str, sizeof(str));
  wmemcpy(w_buffer, w_str, sizeof(w_str));
}

Compliant Solution (Effective Size)

When using functions that operate on pointed-to regions, programmers must always express the integer size in terms of the effective size expected by the function.  For instance, memcpy() expects the effective size expressed in terms of void *, but wmemcpy() expects the effective size expressed in terms of wchar_t *.  Instead of using the sizeof operator, calls to return the number of elements in the string are used, which matches the expected effective size for the copy functions.

#include <string.h>
#include <wchar.h>
 
static const char str[] = "Hello world";
static const wchar_t w_str[] = L"Hello world";
void func(void) {
  char buffer[32];
  wchar_t w_buffer[32];
  memcpy(buffer, str, strlen(str) + 1);
  wmemcpy(w_buffer, w_str, wcslen(w_str) + 1);
} 

Noncompliant Code Example (Pointer + Integer)

This noncompliant code example assigns a value greater than the size of available memory to n, which is then passed to memset():

#include <stdlib.h>
#include <string.h>
 
void f1(size_t nchars) {
  char *p = (char *)malloc(nchars);
  const size_t n = nchars + 1;

  memset(p, 0, n);
}

Compliant Solution (Pointer + Integer)

For calls that take a pointer and an integer size, the given size should not be greater than the effective size of the pointer.  This compliant solution ensures that the value of n is not greater than the size of the dynamic memory pointed to by the pointer p:

#include <stdlib.h>
#include <string.h>
 
void f1(size_t nchars) {
  char *p = (char *)malloc(nchars);
  const size_t n = nchars;

  memset(p, 0, n);
}

Noncompliant Code Example (Pointer + Integer)

In this noncompliant code example, the effective size of the array a is ARR_SIZE elements.  Because memset expects a byte count, the size of the array is scaled incorrectly by sizeof(int) instead of sizeof(float), which can form an invalid pointer on architectures where sizeof(int) != sizeof(float).

#include <string.h>
 
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(int) * ARR_SIZE;
  void *p = a;

  memset(p, 0, n);
}

Compliant Solution (Pointer + Integer)

In this compliant solution, the effective size required by memset is properly calculated without resorting to scaling.

#include <string.h>
 
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(a);
  void *p = a;

  memset(p, 0, n);
}

Noncompliant Code Example (Two Pointers + One Integer)

In this noncompliant

...

example, a diagnostic is required because the value

...

of n is

...

not computed correctly, allowing a possible write past the end of the object referenced by p:

#include <stdlib<string.h>
#include <wchar.h>
 
wchar_tvoid *f4() {
  const wchar_t *p = L"Hello, World!";char p[], const char *q) {
  const size_t n = sizeof(p); *
  if (wcslen(memcpy(p), +q, 1n));

  wchar_t *q = (wchar_t *)malloc(n);
  return q; == p) {
  }
}

Compliant Solution (Two Pointers + One Integer)

For calls that take a two pointers and an integer size, the given size should not be greater than the effective size of either pointer.  This compliant solution ensures that n is calculated based on the proper typeequal to the size of the character array:

#include <stdlib<string.h>
#include <wchar.h>
 
wchar_t *f4() {
  const wchar_t *p = L"Hello, World!";
void f4(char p[], const char *q, size_t size_p) {
  const size_t n = sizeof(*p) * (wcslen(p) + 1);

  wchar_t *q = (wchar_t *) malloc(n);
  return q;
}

Noncompliant Code Example

...

size_p; 
  if ((memcpy(p, q, n)) == p) {
  }
}

Noncompliant Code Example (One Pointer + Two Integers)

In this noncompliant code example, the size of struct obj is assumed to be eight bytes to account for padding.  However, the padding is dependent on the target architecture as well as compiler settings, so this may be the incorrect effective size.

#include <string<stdio.h>
 
void f4(char p[], const char *q) {
  conststruct obj {
  char c;
  int i;
};
 
void func(FILE *f, struct obj *objs, size_t n = sizeof(p); numObjs) {
  if ((memcpy(pnumObjs != fwrite(objs, 8, qnumObjs, nf)) =={
 p) {  /* Handle Violationerror */
  }
}

Compliant Solution

...

(One Pointer + Two Integers)

For calls that take a pointer and two integers, generally accept one integer representing the size of an individual object, and a second integer representing the number of objects in the array.  The resulting product of the two integers should not be greater than the effective size of the pointer were it expressed as an unsigned char *.   See INT30-C. Ensure that unsigned integer operations do not wrap for more information.This compliant solution ensures that n is equal to the size of the character array:

#include <string<stdio.h>
 
 
struct obj {
  char c;
  int i;
};
 
void f4func(char p[]FILE *f, conststruct charobj *qobjs, size_t size_pnumObjs) {
  const size_t n = size_p; 
  if ((memcpy(p, q, n)) == p) {if (numObjs != fwrite(objs, sizeof(*objs), numObjs, f)) {
    /* Handle error */
  }
}

Risk Assessment

Depending on the library function called, the attacker may be able to use a heap overflow vulnerability to run arbitrary code.

...

...

...