...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <png.h> /* From libpng */ #include <string.h> void func(png_structp png_ptr, size_t length, const void *user_data) { png_charp chunkdata; if (length == SIZE_MAX) { /* Handle error */ } if (NULL == user_data) { /* Handle error */ } chunkdata = (png_charp)png_malloc(png_ptr, length + 1); if (NULL == chunkdata) { /* Handle error */ } if (NULL ==/* ... */ memcpy(chunkdata, user_data) { /* Handle error */ } /* ... */ memcpy(chunkdata, user_data, length), length); /* ... */ } |
Noncompliant Code Example
...
Tool | Version | Checker | Description | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| null-dereferencing | Fully checked | ||||||||||||||||||||||
Axivion Bauhaus Suite |
| CertC-EXP34 | |||||||||||||||||||||||
CodeSonar |
| LANG.MEM.NPD | Null pointer dereference | ||||||||||||||||||||||
Compass/ROSE | Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by | ||||||||||||||||||||||||
| CHECKED_RETURN NULL_RETURNS REVERSE_INULL FORWARD_NULL | Finds instances where a pointer is checked against Identifies functions that can return a null pointer but are not checked Identifies code that dereferences a pointer and then checks the pointer against Can find the instances where | |||||||||||||||||||||||
Cppcheck |
| nullPointer, nullPointerDefaultArg, nullPointerRedundantCheck | Context sensitive analysis Detects when NULL is dereferenced (Array of pointers is not checked. Pointer members in structs are not checked.) Finds instances where a pointer is checked against Identifies code that dereferences a pointer and then checks the pointer against Does not guess that return values from | ||||||||||||||||||||||
Helix QAC |
| DF2810, DF2811, DF2812, DF2813 | Fully implemented C: 2810, 2811, 2812, 2813 C++: 2810, 2811, 2812, 2813 | ||||||||||||||||||||||
Klocwork |
| NPD.CHECK.CALL.MIGHT | Fully implemented | ||||||||||||||||||||||
LDRA tool suite |
| 45 D, 123 D, 128 D, 129 D, 130 D, 131 D, 652 S | Fully implemented | ||||||||||||||||||||||
Parasoft C/C++test |
| CERT_C-EXP34-a | Avoid null pointer dereferencing | ||||||||||||||||||||||
Parasoft Insure++ | Runtime analysis | ||||||||||||||||||||||||
PC-lint Plus |
| 413, 418, 444, 613, 668 | Partially supported | Polyspace Bug Finder | |||||||||||||||||||||
Include Page | Polyspace Bug Finder_V | Polyspace Bug Finder_V | Checks for use of null pointers (rule partially covered) | PRQA QA-C | |||||||||||||||||||||
Include Page | PRQA QA-C_v | PRQA QA-C_v | 2810, 2811, 2812, 2813 | Fully implemented | PRQA QA-C++ | ||||||||||||||||||||
Include Page | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | 2810, 2811, 2812, 2813|||||||||||||||||||||||
Polyspace Bug Finder |
| Checks for use of null pointers (rule partially covered) | |||||||||||||||||||||||
PVS-Studio |
| V522, V595, V664, V713, V1004 | |||||||||||||||||||||||
SonarQube C/C++ Plugin |
| S2259 | |||||||||||||||||||||||
Splint |
| ||||||||||||||||||||||||
TrustInSoft Analyzer |
| mem_access | Exhaustively verified (see one compliant and one non-compliant example). |
...
EXP34-C is a common consequence of ignoring function return values, but it is a distinct error, and can occur in other scenarios too.
BibliographyBibliography
[Goodin 2009] | |
[Jack 2007] | |
[Liu 2009] | |
[van Sprundel 2006] | |
[Viega 2005] | Section 5.2.18, "Null-Pointer Dereference" |
...