SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 41

changes.mady.by.user Apoorv Dutta

Saved on

compared with

New Version 42

changes.mady.by.user Apoorv Dutta

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • For func (p,n), where 'p' is the pointer, 'n' is the integer and 'func' is the library function, the value of â€˜n’ should not be greater than the effective size of the pointer. Also, the effective type of the pointer should be compatible with either the derived type of 'n' or unsigned char.
  • For func (p,q, n), where 'p' and 'q' are both pointers, 'n' is the integer and 'func' is the library function, the value of â€˜n’ should not be greater than the effective size of any of the two pointers ('p' and 'q'). The effective type of the 'p' should be compatible with the derived type of 'n' or unsigned char. Similarly, the effective type of the 'p' should be compatible with the effective type of 'q' or unsigned char.
  • For expression E of the form: T* q = func (n), where 'func' is a memory allocation function, the value of 'n' should not be less than sizeof (T). Also, the effective type of 'T' should be compatible with either the derived type of 'n' or unsigned char.

Noncompliant Code Example

This noncompliant code example assigns a value greater than the size of dynamic memory to 'n' which is then passed to the memset().

Code Block
bgColor#FFcccc
void f1 (size_t nchars) {

	char *p = (char *)malloc(nchars);
	const size_t n = nchars + 1;

	memset(p, 0, n);
	/* More program code */

}

...

This compliant solution makes sure that the value of 'n' is not greater than the size of the dynamic memory pointed to by the pointer 'p':

Code Block
bgColor#ccccff
void f1 (size_t nchars, size_t val) {

	char *p = (char *)malloc(nchars);
	const size_t n = val;

	if (nchars < n) {
     		/* Handle Error */
	}

	else {
		memset(p, 0, n);
	}

}

Noncompliant Code Example

In the noncompliant code example below, the effective type of *p is float while the derived type of the expression 'n' is int.

...

In this compliant solution, the derived type of 'n' is also float (since it is a sizeof expression and therefore the derived is equal to the type of the operand, which is float; see derived type above)

Code Block
bgColor#ccccff
void f2() {

	const size_t ARR_SIZE = 4;
	float a[ARR_SIZE];
	const size_t n = sizeof(float) * ARR_SIZE;
	void *p = a;

	memset(p, 0, n);
	/* More program code */

}

Noncompliant Code Example

In this noncompliant code example, the size of 'n' could be greater than the size of *p. Also, the effective type of *p (int) is not same as the effective type of *q (float).

...

This compliant solution makes sure that the value of 'n' is not greater the the minimum of effective sizes of *p and *q and the effective types of the two pointers is also same (float).

Code Block
bgColor#ccccff
void f3(float *a, size_t val) {

	float b = 3.14;
	const size_t n = val;
	void *p = a;
	void *q = &b;

	if( (n > sizeof(a)) || (n > sizeof(b)) ) {
		/* Handle error */
	}
	else {
		memcpy(p, q, n);
		/* More program code */
	}

}

Noncompliant Code Example

In this noncompliant code example, the value of 'n' is greater than the size of 'T' i.e. sizeof (wchar_t). But, the derived type of expression 'n' (wchar_t *) is not same as the type of 'T' because its derived type (from the definition above; see derived type) will be equal to the type of 'p', which is wchar_t *.

...