Page History

...

Code Block

bgColor	#ccccff
lang	c

#include <png.h> /* From libpng */
#include <string.h>

 void func(png_structp png_ptr, size_t length, const void *user_data) { 
  png_charp chunkdata;
  if (length == SIZE_MAX) {
    /* Handle error */
  }
  if (NULL == user_data) {
    /* Handle error */
  }
  chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  if (NULL == chunkdata) {
    /* Handle error */
  }
  if (NULL ==/* ... */
  memcpy(chunkdata, user_data) {
    /* Handle error */
  }
  /* ... */
  memcpy(chunkdata, user_data, length), length);
  /* ... */

 }

Noncompliant Code Example

...

KlocworkKlocworkPolyspace Bug Finder

2810, 2811, 2812, 2813, 2814,

2820, 2821, 2822, 2823, 2824

Tool Version Checker Description

Astrée

Include Page

	Astrée_V
	Astrée_V

null-dereferencing

Fully checked

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-EXP34

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

LANG.MEM.NPD
LANG.STRUCT.NTAD
LANG.STRUCT.UPD

Null pointer dereference
Null test after dereference
Unchecked parameter dereference

Compass/ROSE

Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by malloc(), calloc(), or realloc() is first checked for NULL before being used (otherwise, it is free()-ed). ROSE does not handle cases where an allocation is assigned to an lvalue that is not a variable (such as a struct member or C++ function call returning a reference)

Coverity

Include Page

	Coverity_V
	Coverity_V

CHECKED_RETURN

NULL_RETURNS

REVERSE_INULL

FORWARD_NULL

Finds instances where a pointer is checked against NULL and then later dereferenced

Identifies functions that can return a null pointer but are not checked

Identifies code that dereferences a pointer and then checks the pointer against NULL

Can find the instances where NULL is explicitly dereferenced or a pointer is checked against NULL but then dereferenced anyway. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary

Cppcheck

Include Page

	Cppcheck_V
	Cppcheck_V

nullPointer, nullPointerDefaultArg, nullPointerRedundantCheck

Context sensitive analysis

Detects when NULL is dereferenced (Array of pointers is not checked. Pointer members in structs are not checked.)

Finds instances where a pointer is checked against NULL and then later dereferenced

Identifies code that dereferences a pointer and then checks the pointer against NULL

Does not guess that return values from malloc(), strchr(), etc., can be NULL (The return value from malloc() is NULL only if there is OOMo and the dev might not care to handle that. The return value from strchr() is often NULL, but the dev might know that a specific strchr() function call will not return NULL.)

Klocwork

Helix QAC

Include Page

	Helix QAC_V

	Helix QAC_V

DF2810, DF2811, DF2812, DF2813

Fully implemented

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

NPDNPD.CHECK.CALL.MIGHT
NPD.CHECK.CALL.MUST
NPD.CHECK.MIGHT
NPD.CHECK.MUST
NPD.CONST.CALL
NPD.CONST.DEREF
NPD.FUNC.CALL.MIGHT
NPD.FUNC.CALL.MUST
NPD.FUNC.MIGHT
NPD.FUNC.MUST
NPD.GEN.CALL.MIGHT
NPD.GEN.CALL.MUST
NPD.GEN.MIGHT
NPD.GEN.MUST
RNPD.CALL
RNPD.DEREF

Fully implemented

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

45 D, 123 D, 128 D, 129 D, 130 D, 131 D, 652 S

Fully implemented

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-EXP34-a

Avoid null pointer dereferencing

Parasoft Insure++ Runtime analysis

Polyspace Bug Finder PC-lint Plus

Include Page

	PC-lint Plus_V

Polyspace Bug Finder_V

Arithmetic operation with NULL pointer

Invalid use of standard library memory routine

Null pointer

Use of tainted pointer

MISRA C:2012 Directive 4.14

Arithmetic operation performed on NULL pointer

Standard library memory function called with invalid arguments

NULL pointer dereferenced

Pointer from an unsecure source may be NULL or point to unknown memory

The validity of values received from external sources shall be checked.

PRQA QA-C

Include Page

PRQA QA-C_v

2810, 2811, 2812, 2813, 2814,

2820, 2821, 2822, 2823, 2824

Fully implemented

PRQA QA-C++

Include Page

cplusplus:PRQA QA-C++_V

	PC-lint Plus_V

413, 418, 444, 613, 668

Partially supported

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rule EXP34-C

Checks for use of null pointers (rule partially covered)

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V522, V595, V664, V713, V1004

SonarQube C/C++ Plugin

Include Page

	SonarQube C/C++ Plugin_V
	SonarQube C/C++ Plugin_V

S2259

Splint

Include Page

	Splint_V
	Splint_V

TrustInSoft Analyzer

Include Page

	TrustInSoft Analyzer_V
	TrustInSoft Analyzer_V

mem_access

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

EXP34-C is a common consequence of ignoring function return values, but it is a distinct error, and can occur in other scenarios too.

BibliographyBibliography

[Goodin 2009]
[Jack 2007]
[Liu 2009]
[van Sprundel 2006]
[Viega 2005]	Section 5.2.18, "Null-Pointer Dereference"

...

Space shortcuts

Page tree

Versions Compared

Old Version 208

New Version Current

Key

Noncompliant Code Example

Related Vulnerabilities

BibliographyBibliography