SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 91

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 92

changes.mady.by.user Aaron Ballman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

the element count of the pointer p is sizeof(arr) / sizeof(arr[0]), that is, 5. The element count of the pointer p2 is sizeof(arr), that is, 20, on platforms where sizeof(int) == 4. The element count of the pointer p3 is 12 on platforms where sizeof(int) == 4, because p3 points two elements past the start of the array arr.  The element count of p4 is treated as though it were unsigned char * instead of void *, so it is the same as p2.

Standard Library Functions

The following are lists of C library functions to which this rule applies.

Library Functions That Take a Pointer and Integer

The following standard library functions take a pointer argument and a size argument, with the constraint that the pointer must point to a valid memory object of at least the number of elements indicated by the size argument.

...

1 Takes two pointers and an integer, but the integer specifies the element count only of the output buffer, not of the input buffer.
2 Takes two pointers and an integer, but the integer specifies the element count only of the input buffer, not of the output buffer.
3 Takes two pointers and two integers; each integer corresponds to the element count of one of the pointers.
4 Takes a pointer and two size-related integers; the first size-related integer parameter specifies the number of bytes available in the buffer; the second size-related integer parameter specifies the number of bytes to write within the buffer.

Library Functions That Take Two Pointers and an Integer

The following standard library functions take two pointer arguments and a size argument, with the constraint that both pointers must point to valid memory objects of at least the number of elements indicated by the size argument.

memcpy()wmemcpy()memmove()wmemmove()
strncpy()wcsncpy()memcmp()wmemcmp()
strncmp()wcsncmp()strcpy_s()wcscpy_s()
strcat_s()wcscat_s()  

Library Functions That Take a Pointer and Two Integers

The following standard library functions take a pointer argument and two size arguments, with the constraint that the pointer must point to a valid memory object containing at least as many bytes as the product of the two size arguments.

bsearch()bsearch_s()qsort()qsort_s()
fread()fwrite()  

For calls that take a pointer and an integer size, the given size should not be greater than the element count of the pointer.

 Noncompliant Code Example (Element Count)

...

Compliant Solution (Pointer + Integer)

For calls that take a pointer and an integer size, the given size should not be greater than the element count of the pointer. This compliant solution ensures that the value of n is not greater than the number of bytes of the dynamic memory pointed to by the pointer p:

...

Code Block
bgColor#ccccff
#include <string.h>
 
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(a);
  void *p = a;

  memset(p, 0, n);
}

Library Functions That Take Two Pointers and an Integer

The following standard library functions take two pointer arguments and a size argument, with the constraint that both pointers must point to valid memory objects of at least the number of elements indicated by the size argument. 

memcpy()wmemcpy()memmove()wmemmove()
strncpy()wcsncpy()memcmp()wmemcmp()
strncmp()wcsncmp()strcpy_s()wcscpy_s()
strcat_s()wcscat_s()  

For calls that take two pointers and an integer size, the given size should not be greater than the element count of either pointer.

Noncompliant Code Example (Two Pointers + One Integer)

...

Compliant Solution (Two Pointers + One Integer)

For calls that take two pointers and an integer size, the given size should not be greater than the element count of either pointer. This compliant solution ensures that n is equal to the size of the character array:

Code Block
bgColor#ccccff
#include <string.h>
 
void f4(char p[], const char *q, size_t size_p) {
  const size_t n = size_p; 
  if ((memcpy(p, q, n)) == p) {
    /* ... */
  }
}

Library Functions That Take a Pointer and Two Integers

The following standard library functions take a pointer argument and two size arguments, with the constraint that the pointer must point to a valid memory object containing at least as many bytes as the product of the two size arguments.

bsearch()bsearch_s()qsort()qsort_s()
fread()fwrite()  

For calls that take a pointer and two integers, one integer represents the number of bytes required for an individual object, and a second integer represents the number of elements in the array. The resulting product of the two integers should not be greater than the element count of the pointer were it expressed as an unsigned char *.  

Noncompliant Code Example (One Pointer + Two Integers)

...

Compliant Solution (One Pointer + Two Integers)

For calls that take a pointer and two integers, one integer represents the number of bytes required for an individual object, and a second integer represents the number of elements in the array. The resulting product of the two integers should not be greater than the element count of the pointer were it expressed as an unsigned char *.   This compliant solution uses the sizeof operator to correctly provide the object size and numObjs to provide the element count.

...