Page History

The Since std::basic_string is a container of characters, this rule is a specific instance of CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container. As a container, it supports iterators just like other containers in the Standard Template Library. However, the std::basic_string template class has unusual invalidation semantics. The C++ Standard, [string.require], paragraph 5 [ISO/IEC 14882-2014], states the following:

References, pointers, and iterators referring to the elements of a basic_string

...

 sequence may be

...

invalidated by the following uses of that basic_string

...

 object:

• As an argument to

...

Calling non-const member functions, except {{operator\[\]()}}, {{at()}}, {{begin()}}, {{rbegin()}}, {{end()}}, and {{rend()}}.

...

Subsequent to any of the above uses except the forms of {{insert()}} and {{erase()}} which return iterators, the first call to non-const member functions {{operator\[\]()}}, {{at()}}, {{begin()}}, {{rbegin()}}, {{end()}}, or {{rend()}}.

• any standard library function taking a reference to non-const basic_string as an argument.
• Calling non-const member functions, except operator[], at, front, back, begin, rbegin, end, and rend.

Examples of standard library functions taking a reference to non-const std::basic_string are std::swap(), ::operator>>(basic_istream &, string &), and std::getline().

Do not use an invalidated reference, pointer, or iterator because doing so results in undefined behavior.

Noncompliant Code Example

This noncompliant code example copies input into a std::string, replacing semicolon (;) characters with spaces. This example is noncompliant

Non-Compliant Code Example

This non-compliant example copies the null-terminated byte string input into the string email, replacing ';' characters with spaces. This example is non-compliant because the iterator loc is invalidated after the first call to insert(). The behavior of subsequent calls to insert is () is undefined.

#include <string>
 
void f(const std::string &input) {
  std::string email;

  // Copy input into email
char input[] = "bogus@addr.com; cat /etc/passwd";
string email;
string::iterator loc = email.begin();

// copy into string converting ";" to " "
for (size_t i=0; i <= strlen(input); i++) {
  if (input[i] != ';' std::string::iterator loc = email.begin();
  for (auto i = input.begin(), e = input.end(); i != e; ++i, ++loc) {
    email.insert(loc++, input[i]);
  }
  else {
    email.insert(loc++, *i != ';' ? *i : ' ');
  }
} // end string for each element in NTBS

Compliant Solution (std::string::insert())

In this compliant solution, the value of the iterator loc is updated as a result of each call to insert so () so that the insert() method invalidated iterator is never called with an invalid iteratoraccessed. The updated iterator is then incremented at the end of the loop.

#include <string>
char input[] = "bogus@addr.com; cat /etc/passwd";
string email;
string::iterator loc = email.begin();

// copy into string
void f(const std::string &input) {
  std::string email;

  // Copy input into email converting ";" to " "
for (size_t i=0; i <= strlen(input); i++) {
  if (input[i] != ';' std::string::iterator loc = email.begin();
  for (auto i = input.begin(), e = input.end(); i != e; ++i, ++loc) {
    loc = email.insert(loc, input[i] *i != ';' ? *i : ' ');
  }
}

Compliant Solution (std::replace())

This compliant solution uses a standard algorithm to perform the replacement. When possible, using a generic algorithm is preferable to inventing your own solution.

#include  else<algorithm>
#include <string>
 
void f(const std::string &input) {
  std::string email{input};
 loc = std::replace(email.begin(), email.insert(locend(), ';', ' ');
  }
  ++loc;
} // end string for each element in NTBS

...

Noncompliant Code Example

In this non-compliant noncompliant code example, the string s is initialized as "rcs" and the string iterator si is initialized to the beginning of the string. The size of s is three, and we'll assume the capacity is fifteen. The for loop appends 20 characters to the end of the sting. As a result, the si iterator is invalided because the capacity of the string is exceeded requiring a reallocation. As a result, the call to insert() results in  data is invalidated after the call to replace(), and so its use in g() is undefined behavior.

string s("rcs");
string::iterator si = s.begin();

for (size_t i=0; i<20; ++i) {
  s.push_back('x');
}
s.insert(si, '*');

Compliant Solution

...

#include <iostream>
#include <string>
 
extern void g(const char *);
 
void f(std::string &exampleString) {
  const char *data = exampleString.data();
  // ...
  exampleString.replace(0, 2, "bb");
  // ...
  g(data);
}

Compliant Solution

In this compliant solution, the non-compliant example is modified to only append capacity - size characters to the string s. As a result, the call to push_back() no longer invalidates the iterator.pointer to exampleString's internal buffer is not generated until after the modification from replace() has completed.

#include <iostream>
#include <string>

extern void g(const char *);

void f(std::string &exampleString

string s("rcs");
string::iterator si = s.begin();

for (size_t i=0; i < 20; ++i) {
   if ( s.size() == s.capacity() ) {
     break// ...
  exampleString.replace(0, 2, "bb");
  // }...
  s.push_back('x'g(exampleString.data());
}
s.insert(si, '*');

...

Risk Assessment

Using an invalid reference, pointer, or iterator to a string object could allow an attacker to run arbitrary code.

Automated Detection

...

Exceptions

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

Bibliography

References

...

...

...

...

...

Image Added Image Added Image Added