...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <png.h> /* From libpng */ #include <string.h> void func(png_structp png_ptr, size_t length, const void *user_data) { png_charp chunkdata; if (length == SIZE_MAX) { /* Handle error */ } if (NULL == user_data) { /* Handle error */ } chunkdata = (png_charp)png_malloc(png_ptr, length + 1); if (NULL == chunkdata) { /* Handle error */ } if (NULL ==/* ... */ memcpy(chunkdata, user_data) { /* Handle error */ } /* ... */ memcpy(chunkdata, user_data, length), length); /* ... */ } |
Noncompliant Code Example
...
Tool | Version | Checker | Description | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| null-dereferencing | Fully checkedCodeSonar | ||||||||||||||||||
Axivion Bauhaus Suite |
| CertC-EXP34 | |||||||||||||||||||
CodeSonar |
| LANG.MEM.NPD | Null pointer dereference | ||||||||||||||||||
Compass/ROSE | Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by | ||||||||||||||||||||
| CHECKED_RETURN NULL_RETURNS REVERSE_INULL FORWARD_NULL | Finds instances where a pointer is checked against Identifies functions that can return a null pointer but are not checked Identifies code that dereferences a pointer and then checks the pointer against Can find the instances where | |||||||||||||||||||
Cppcheck |
| nullPointer, nullPointerDefaultArg, nullPointerRedundantCheck | Context sensitive analysis Detects when NULL is dereferenced (Array of pointers is not checked. Pointer members in structs are not checked.) Finds instances where a pointer is checked against Identifies code that dereferences a pointer and then checks the pointer against Does not guess that return values from | ||||||||||||||||||
Helix QAC |
| DF2810, DF2811, DF2812, DF2813 | Fully implemented | ||||||||||||||||||
Klocwork |
| NPD.CHECK.CALL.MIGHT | Fully implemented | ||||||||||||||||||
LDRA tool suite |
| 45 D, 123 D, 128 D, 129 D, 130 D, 131 D, 652 S | Fully implemented | ||||||||||||||||||
Parasoft C/C++test |
| CERT_C-EXP34-a | Avoid null pointer dereferencing | ||||||||||||||||||
Parasoft Insure++ | Runtime analysis | ||||||||||||||||||||
Polyspace Bug FinderPC-lint Plus |
| Polyspace Bug Finder
| 413, 418, 444, 613, 668 | Partially supported | |||||||||||||||||
Polyspace Bug Finder |
| Arithmetic operation with NULL pointer | Arithmetic operation performed on Standard library memory function called with invalid arguments
Pointer from an unsecure source may be NULL or point to unknown memory The validity of values received from external sources shall be checked. | PRQA QA-C++ | 2810, 2811, 2812, 2813, 2814, 2820, 2821, 2822, 2823, 2824 | PRQA QA-C | |||||||||||||||
Include Page |
| Checks for use of null pointers (rule partially covered) | PRQA QA-C_v | PRQA QA-C_v | 2810, 2811, 2812, 2813, 2814, 2820, 2821, 2822, 2823, 2824 | Fully implemented | |||||||||||||||
PVS-Studio |
| V522, V595, V664, V713, V1004 | |||||||||||||||||||
SonarQube C/C++ Plugin |
| S2259 | |||||||||||||||||||
Splint |
| ||||||||||||||||||||
TrustInSoft Analyzer |
| mem_access | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
EXP34-C is a common consequence of ignoring function return values, but it is a distinct error, and can occur in other scenarios too.
BibliographyBibliography
[Goodin 2009] | |
[Jack 2007] | |
[Liu 2009] | |
[van Sprundel 2006] | |
[Viega 2005] | Section 5.2.18, "Null-Pointer Dereference" |
...