...
Conversions between integers and pointers can have undesired consequences depending on the implementation.
According to the to the C Standard, subclause 6.3.2.3 3 [ISO/IEC 9899:20112024],
An integer may be converted to any pointer type. Except as previously specified, the result is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
...
The result of this assignment is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
Compliant Solution
Adding an explicit cast may help the compiler convert the integer value into a valid pointer. A common technique is to assign the integer to a volatile-qualified object of type intptr_t or uintptr_t and then assign the integer value to the pointer:
...
| bgColor | #ccccff |
|---|---|
| lang | c |
...
Unfortunately this code cannot be made safe while strictly conforming to ISO C.
A particular platform (that is, hardware, operating system, compiler, and Standard C library) might guarantee that a memory address is correctly aligned for the pointer type, and actually contains a value for that type. A common practice is to use addresses that are known to point to hardware that provides valid values.
Exceptions
INT36-C-EX1: A null pointer can be converted to an integer; it takes on the value 0. Likewise, the The integer value 0 can be converted to a pointer; it becomes the null pointer.
...
Converting from pointer to integer or vice versa results in code that is not portable and may create unexpected pointers to invalid memory locations.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT36-C | Low | Probable | High | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| pointer-integral-cast pointer-integral-cast-implicit function-pointer-integer-cast function-pointer-integer-cast-implicit | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-INT36 | Fully implemented | ||||||
| Clang |
| -Wint-to-pointer-cast, -Wint-conversion | Can detect some instances of this rule, but does not detect all | ||||||
| CodeSonar |
| LANG.CAST.PC.CONST2PTR LANG.CAST.PC.INT | Conversion: integer constant to pointer Conversion: pointer/integer | ||||||
| Compass/ROSE |
| Coverity |
| PW.POINTER_CONVERSION_LOSES_BITS | Fully implemented | ||||||
| Cppcheck Premium |
| premium-cert-int36-c | Partially implemented | ||||||
| Helix QAC |
| C0303, C0305, C0306, C0309, C0324, C0326, C0360, C0361, C0362 C++3040, C++3041, C++3042, C++3043, C++3044, C++3045, C++3046, C++3047, C++3048 | |||||||
| Klocwork |
| MISRA.CAST.OBJ_PTR_TO_INT.2012 |
| LDRA tool suite |
| 439 S, 440 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-INT36-b | A conversion should not be performed between a pointer to object type and an integer type other than 'uintptr_t' or 'intptr_t' | |||||||
| PC-lint Plus |
| 4287 | Partially supported: reports casts from pointer types to smaller integer types which lose information | ||||||
| Polyspace Bug Finder |
| Checks for unsafe conversion between pointer and integer (rule partially covered) | |||||||
| PVS-Studio |
| V527, V528, V542, V566, V601, V647, V1091 | |||||||
| RuleChecker |
| pointer-integral-cast pointer-integral-cast-implicit function-pointer-integer-cast function-pointer-integer-cast-implicit | Fully checked | ||||||
| SonarQube C/C++ Plugin |
| S1767 | Partially implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C |
| INT11-CPP. Take care when converting from pointer to integer or integer to pointer | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| ISO/IEC TR 24772:2013 | Pointer Casting and Pointer Type Changes [HFC] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961:2013 | Converting a pointer to integer or integer to pointer [intptrconv] |
| Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CWE 2.11 | CWE-587, Assignment of a Fixed Address to a Pointer | 2017-07-07: CERT: Partial overlap |
| CWE 2.11 | CWE-704 | 2017-06-14: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-758 | 2017-07-07: CERT: Rule subset of CWE |
| CWE 3.1 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2018-10-19:CERT:None |
| CWE 3.1 | CWE-466, Return of Pointer Value Outside of Expected Range | 2018-10-19:CERT:None |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-758 and INT36-C
Independent( INT34-C, INT36-C, MEM30-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)
CWE-758 = Union( INT36-C, list) where list =
- Undefined behavior that results from anything other than integer <-> pointer conversion
CWE-704 and INT36-C
CWE-704 = Union( INT36-C, list) where list =
- Incorrect (?) typecast that is not between integers and pointers
CWE-587 and INT36-C
Intersection( CWE-587
...
, INT36-C) =
- Setting a pointer to an integer value that is ill-defined (trap representation, improperly aligned, mis-typed, etc)
CWE-587 – INT36-C =
- Setting a pointer to a valid integer value (eg points to an object of the correct t ype)
INT36-C – CWE-587 =
- Illegal pointer-to-integer conversion
Intersection(INT36-C,CWE-466) = ∅
Intersection(INT36-C,CWE-466) = ∅
An example explaining the above two equations follows:
static char x[3];
char* foo() {
int x_int = (int) x; // x_int = 999 eg
return x_int + 5; // returns 1004 , violates CWE 466
}
...
int y_int = foo(); // violates CWE-466
char* y = (char*) y_int; // // well-defined but y may be invalid, violates INT36-C
char c = *y; // indeterminate value, out-of-bounds read, violates CWE-119
Bibliography
...
...