Page History

...

#include <locale.h>
#include <stdlib.h>
 
int utf8_to_wcs(wchar_t *wcs, size_t n, const char *utf8,
                size_t *size) {
  if (0NULL == size) {
    return -1;
  }
  setlocale(LC_CTYPE, "en_US.UTF-8");
  *size = mbstowcs(wcs, utf8, n);
  return 0;
}

...

#include <locale.h>
#include <stdlib.h>
 
int utf8_to_wcs(wchar_t *wcs, size_t n, const char *utf8,
                size_t *size) {
  if (0NULL == size) {
    return -1;
  }
  const char *save = setlocale(LC_CTYPE, "en_US.UTF-8");
  if (NULL == save) {
    return -1;
  }

  *size = mbstowcs(wcs, utf8, n);
  if (NULL == setlocale(LC_CTYPE, save)) {
    return -1;
  }
  return 0;
}

...

In this noncompliant example, the function signal() is invoked to install a handler for the SIGINT signal. The signal() function returns a pointer to the previously installed handler on success and the value SIG_ERR on failure. However, because the caller fails to check for errors, when signal() fails, the function may proceed with the lengthy computation without the ability to interrupt it.

#include <signal.h>
 
volatile sig_atomic_t interrupted;

void handle_interrupt(int signo) {
  interrupted = 1;
}

int f(void) {
  int result = 0;

  signal(SIGINT, handle_interrupt);

  while (0 == result && 0 == interrupted) {
    /* Perform a lengthy computation */
  }

  /* Indicate success or failure */
  return interrupted ? -1 : result;
}

...

#include <signal.h>
 
volatile sig_atomic_t interrupted;

void handle_interrupt(int signo) {
  interrupted = 1;
}

int f(void) {
  int result = 0;
  void (*saved_handler)(int);
  saved_handler = signal(SIGINT, handle_interrupt);

  if (SIG_ERR == (int)saved_handler) {
    /* Indicate failure */
    return -1;
  }

  while (0 == result && 0 == interrupted) {
    /* Perform a lengthy computation */
  }

  if (SIG_ERR == signal(SIGINT, saved_handler)) {
    return -1;
  }

  /* Indicate success or failure */
  return interrupted ? -1 : result;
}

...

In this noncompliant code example, temp_num, tmp2, and num_of_records are under the control of a malicious user. The derived from a tainted source. Consequently, an attacker can easily cause malloc() to fail by providing a large value for num_of_records. 

...

This noncompliant code example calls realloc() to resize the memory referred to by p. However, if realloc() fails, it returns a null pointer . Consequently, and the connection between the original block of memory and p is severedlost, resulting in a memory leak.

#include <stdlib.h>
 
void *p;
void func(size_t new_size) {
  if (new_size == 0) {
    /* Handle error */
  }
  p = realloc(p, new_size);
  if (p == NULL)   {
   /* Handle error */
  }
}

This code example does comply with MEM04-C. Do not perform zero-length allocations.

Compliant Solution (realloc())

In this compliant solution, the result of realloc() is assigned to the temporary pointer q and validated before it is assigned to the original pointer p. This solution is also compliant with MEM04-C. Do not perform zero-length allocations. 

#include <stdlib.h>
 
void *p;
void func(size_t new_size) {
  void *q;

  if (new_size == 0) {
    /* Handle error */
  }
 
  q = realloc(p, new_size);
  if (q == NULL)   {
   /* Handle error */
  } else {
    p = q;
  }
}

...

According to the C Standard, the fseek() function returns a nonzero value to indicate that an error occurred. Testing Test for this condition before proceeding to read reading from the a file eliminates to eliminate the chance of operating on the wrong portion of the file if fseek() fails. Always test the returned value to make sure an error did not occur before operating on the file. If an error does occur, handle it appropriately.

...

In this noncompliant code example, snprinfsnprintf() is assumed to succeed. However, if the call fails (for example, because of insufficient memory, as described in GNU libc bug 441945), the subsequent call to log_message() is likely to result in undefined behavior because the character buffer is not initialized uninitialized and need not be null-terminated.

...