...
In this noncompliant code example, integer values returned by parseint(getdata()) are stored into an array of INTBUFSIZE elements of type int called buf [Dowd 2006]. If data is available for insertion into buf (which is indicated by havedata()) and buf_ptr has not been incremented past buf + sizeof(buf), an integer value is stored at the address referenced by buf_ptr. However, the sizeof operator returns the total number of bytes in buf, which is typically a multiple of the number of elements in buf. This value is scaled to the size of an integer and added to buf. As a result, the check to make sure integers are not written past the end of buf is incorrect and a buffer overflow is possible.
...
A similar situation occurred in OpenBSD's make command [Murenin 2007].
Compliant Solution
To correct this example, the struct big pointer is cast as a char *. This causes skip to be scaled by a factor of 1.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 45 D | Partially implemented. | |||||||
| PRQA QA·CQA-C |
| Partially Implemented
|
...
ISO/IEC TR 17961 (Draft) Adding or subtracting a byte count to an element pointer [cntradd]
ISO/IEC PDTR 24772 "HFC Pointer casting and pointer type changes" and "RVG Pointer arithmetic"
MISRA Rules 17.1–17.4
MITRE CWE: CWE-468, "Incorrect pointer scaling"
Bibliography
[Dowd 2006] Chapter 6, "C Language Issues"
[Murenin 2007]
...