According to MISRA 2008, concatenation of wide and narrow string literals leads to undefined behavior. This was once considered implicitly undefined behavior until C90 [ISO/IEC 9899:1990]. However, C99 defined this behavior [ISO/IEC 9899:1999], and C11 further explains in Section subclause 6.4.5, paragraph 5 [ISO/IEC 9899:2011]:
In translation phase 6, the multibyte character sequences specified by any sequence of adjacent character and identically-prefixed string literal tokens are concatenated into a single multibyte character sequence. If any of the tokens has an encoding prefix, the resulting multibyte character sequence is treated as having the same prefix; otherwise, it is treated as a character string literal. Whether differently-prefixed wide string literal tokens can be concatenated and, if so, the treatment of the resulting multibyte character sequence are implementation-defined.
...
The concatenation of wide and narrow string literals could lead to undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR10-C |
Low |
Probable |
Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| encoding-mismatch | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-STR10 | |||||||
| ECLAIR |
|
CC2.STR10 | Fully implemented. | ||||||||
| Helix QAC |
| C0874 | |||||||
| LDRA tool suite |
| 450 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-STR10-a | Narrow and wide string literals shall not be concatenated | ||||||
| PC-lint Plus |
| 707 | Fully supported | ||||||
| SonarQube C/C++ Plugin |
| NarrowAndWideStringConcat | |||||||
| RuleChecker |
| encoding-mismatch | Fully checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 9899:2011] | Section 6.4.5, "String Literals" |
...
...