...
Conversions between integers and pointers can have undesired consequences depending on the implementation.
According to the to the C Standard, subclause 6.3.2.3 3 [ISO/IEC 9899:20112024],
An integer may be converted to any pointer type. Except as previously specified, the result is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
...
Do not convert a pointer type to an integer type if the result cannot be represented in the integer type. (See undefined behavior 2423.)
The mapping between pointers and integers must be consistent with the addressing structure of the execution environment. Issues may arise, for example, on architectures that have a segmented memory model.
...
The result of this assignment is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
Compliant Solution
Adding an explicit cast may help the compiler convert the integer value into a valid pointer. A common technique is to assign the integer to a volatile-qualified object of type intptr_t
or uintptr_t
and then assign the integer value to the pointer:
...
bgColor | #ccccff |
---|---|
lang | c |
...
Unfortunately this code cannot be made safe while strictly conforming to ISO C.
A particular platform (that is, hardware, operating system, compiler, and Standard C library) might guarantee that a memory address is correctly aligned for the pointer type, and actually contains a value for that type. A common practice is to use addresses that are known to point to hardware that provides valid values.
Exceptions
INT36-C-EX1: A null pointer can be converted to an integer; it takes on the value 0. Likewise, the The integer value 0 can be converted to a pointer; it becomes the null pointer.
...
Converting from pointer to integer or vice versa results in code that is not portable and may create unexpected pointers to invalid memory locations.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT36-C | Low | Probable | High | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| pointer-integral-cast pointer-integral-cast-implicit function-pointer-integer-cast function-pointer-integer-cast-implicit | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC-INT36 | Fully implemented | ||||||
Clang |
| -Wint-to-pointer-cast , -Wint-conversion | Can detect some instances of this rule, but does not detect all | ||||||
CodeSonar |
| LANG.CAST.PC.CONST2PTR LANG.CAST.PC.INT | Conversion: integer constant to pointer Conversion: pointer/integer | ||||||
Compass/ROSE |
Coverity |
| PW.POINTER_CONVERSION_LOSES_BITS | Fully implemented | ||||||
Cppcheck Premium |
| premium-cert-int36-c | Partially implemented | ||||||
Helix QAC |
| C0303, C0305, C0306, C0309, C0324, C0326, C0360, C0361, C0362 C++3040, C++3041, C++3042, C++3043, C++3044, C++3045, C++3046, C++3047, C++3048 | |||||||
Klocwork |
| MISRA.CAST.OBJ_PTR_TO_INT.2012 |
LDRA tool suite |
| 439 S, 440 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-INT36-b | A conversion should not be performed between a pointer to object type and an integer type other than 'uintptr_t' or 'intptr_t' | |||||||
PC-lint Plus |
| 4287 | Partially supported: reports casts from pointer types to smaller integer types which lose information | ||||||
Polyspace Bug Finder |
| Checks for unsafe conversion between pointer and integer (rule partially covered) | |||||||
PVS-Studio |
| V527, V528, V542, V566, V601, V647, V1091 | |||||||
RuleChecker |
| pointer-integral-cast pointer-integral-cast-implicit function-pointer-integer-cast function-pointer-integer-cast-implicit | Fully checked | ||||||
SonarQube C/C++ Plugin |
| S1767 | Partially implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C |
INT11-CPP. Take care when converting from pointer to integer or integer to pointer | Prior to 2018-01-12: CERT: Unspecified Relationship | |
ISO/IEC TR 24772:2013 | Pointer Casting and Pointer Type Changes [HFC] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961:2013 | Converting a pointer to integer or integer to pointer [intptrconv] |
Prior to 2018-01-12: CERT: Unspecified Relationship | ||
CWE 2.11 | CWE-587, Assignment of a Fixed Address to a Pointer | 2017-07-07: CERT: Partial overlap |
CWE 2.11 | CWE-704 | 2017-06-14: CERT: Rule subset of CWE |
CWE 2.11 | CWE-758 | 2017-07-07: CERT: Rule subset of CWE |
CWE 3.1 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2018-10-19:CERT:None |
CWE 3.1 | CWE-466, Return of Pointer Value Outside of Expected Range | 2018-10-19:CERT:None |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-758 and INT36-C
Independent( INT34-C, INT36-C, MEM30-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)
CWE-758 = Union( INT36-C, list) where list =
- Undefined behavior that results from anything other than integer <-> pointer conversion
CWE-704 and INT36-C
CWE-704 = Union( INT36-C, list) where list =
- Incorrect (?) typecast that is not between integers and pointers
CWE-587 and INT36-C
Intersection( CWE-587
...
, INT36-C) =
- Setting a pointer to an integer value that is ill-defined (trap representation, improperly aligned, mis-typed, etc)
CWE-587 – INT36-C =
- Setting a pointer to a valid integer value (eg points to an object of the correct t ype)
INT36-C – CWE-587 =
- Illegal pointer-to-integer conversion
Intersection(INT36-C,CWE-466) = ∅
Intersection(INT36-C,CWE-466) = ∅
An example explaining the above two equations follows:
static char x[3];
char* foo() {
int x_int = (int) x; // x_int = 999 eg
return x_int + 5; // returns 1004 , violates CWE 466
}
...
int y_int = foo(); // violates CWE-466
char* y = (char*) y_int; // // well-defined but y may be invalid, violates INT36-C
char c = *y; // indeterminate value, out-of-bounds read, violates CWE-119
Bibliography
...
...