Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added PC-lint Plus to Automated Detection Table

The Subclause 7.21.7.10 of the C Standard [ISO/IEC 9899:2011] defines ungetc() as follows:

The ungetc function pushes the character specified by c (converted to an unsigned char) back onto the input stream pointed to by stream. Pushed-back characters will be returned by subsequent reads on that stream in the reverse order of their pushing. A successful intervening call (with the stream pointed to by stream) to a file positioning function (fseek, fsetpos, or rewind) discards any pushed-back characters for the stream. The external storage corresponding to the stream is unchanged.

One character of pushback is guaranteed.

Consequently, multiple calls to ungetc() on the same stream must be separated by a call to a read function or a file-positioning function (which will discard any data pushed by ungetc()).

Likewise, for ungetwc(), C guarantees only one wide character of pushback (subclause 7.29.3.10). Consequently, multiple calls to ungetwc() on the same stream a character onto an input stream. This pushed character can then be read by subsequent calls to functions that read from that stream. However, the ungetc() function has serious limitations. A call to a file positioning function, such as fseek(), will discard any character pushed back by ungetc(). Also, the C standard only guarantees that the pushing back of one character will succeed. Therefore, subsequent calls to ungetc() must be separated by a call to a read function or a file-positioning function (which will discard any data pushed by ungetcungetwc()).

...

Noncompliant Code Example

In this non-compliant noncompliant code example, more than one character is pushed back on the stream referenced by fptr. fp:

Code Block
bgColor#ffcccc
langc
FILE *fp;
char *file_name;

/* Initialize file_name */

fp
FILE* fptr = fopen(file_name, "rb");
if (fptrfp == NULL) {
  /* Handle Errorerror */
}

/* Read data */

if (ungetc('\n', fptr);
fp) == EOF) {
  /* Handle error */
}
if (ungetc('\r', fptr); fp) == EOF) {
  /* Handle error */
}

/* Continue on */

Compliant Solution

If more than one character needs to be pushed by ungetc(), then fgetpos() and fsetpos() should be used before and after reading the data instead of pushing it back with ungetc(). Note that this solution can applies only be used if the input is seekable.

Code Block
bgColor#ccccff
langc

FILE* fptrFILE *fp;
fpos_t pos;
char *file_name;

/* Initialize file_name */

fp = fopen(file_name, "rb");
fpos_t pos;

if (fptrfp == NULL) {
  /* Handle Errorerror */
}

/* Read data */

if (fgetpos(fptrfp, &pos)) {
  /* Handle Errorerror */
}

/* Read the data that will be "pushed back" */

if (fsetpos(fptrfp, &pos)) {
  /* Handle Errorerror */
}

/* Continue on */

Wiki MarkupWhen using {{Remember to always call fgetpos()}} and {{ before fsetpos()}} it important to keep in mind \[[. (See FIO44-C. Only use values for fsetpos() that are returned from fgetpos().)]\]

Risk Assessment

If used improperly, ungetc() and ungetwc() can cause data to be truncated or lost.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO13-

A

C

medium

Medium

probable

Probable

high

High

P4

L3

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
(customization)Users can implement a custom check that triggers a warning when ungetc() is called twice on the same stream without an intervening call to a read function or a file-positioning function.
Compass/ROSE



Can detect simple violations of this recommendation. In particular, it warns when two calls to ungetc() on the same stream are not interspersed with a file-positioning or file-read function. It cannot handle cases where ungetc() is called from inside a loop

LDRA tool suite
Include Page
LDRA_V
LDRA_V

83 D

Partially implemented

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2470

Fully supported

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Reference

...

Bibliography

...

[

...

9899:2011]Subclause 7.21.7.

...

10,

...

"The ungetc Function"


...

Image Added Image Added Image Added {{ungetc}} function"FIO12-A. Prefer setvbuf() to setbuf()      09. Input Output (FIO)       FIO14-A. Understand the difference between text mode and binary mode with file streams