Modifying a variable through a pointer of an incompatible type (other than unsigned char
) can lead to unpredictable results. Subclause 6.2.7 of the C Standard states that two types may be distinct yet compatible and addresses precisely when two distinct types are compatible.
This problem is often caused by a violation of aliasing rules. The C Standard, Section 6.5, paragraph 7 [ ISO/IEC 9899:20112024 ], specifies those circumstances in which an object may or may not be aliased.
An object shall have its stored value accessed only by an lvalue expression that has one of
the following types:
- a type compatible with the effective type of the object,
- a qualified version of a type compatible with the effective type of the object,
- a type that is the signed or unsigned type corresponding to type compatible with the underlying type of the effective type of the object, a type that is
- the signed or unsigned type corresponding to compatible with a qualified version of the underlying type of the effective type of the object,
- an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), oror
- a character type.
Accessing an object by means of any other lvalue expression (other than unsigned char
)
...
...
36.
Noncompliant Code Example
In this noncompliant example, a diagnostic is required because an object of type float
is incremented through an int *
. The programmer can use the unit in the last place to get the next representable value for a pointer to int
, ip
:floating-point type. However, accessing an object through a pointer of an incompatible type is undefined behavior.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> void f(void) { if (sizeof(int) == sizeof(float)) { float f = 0.0f; int *ip = (int *)&f; printf("float is %f\n", f); (*ip)++; // diagnostic required printf("float is %f\n", f); } } |
Compliant Solution
In this compliant solution, the pointer to int
, ip
has been replaced by a pointer to float
, fp
the standard C function nextafterf()
is used to round toward the highest representable floating-point value:
Code Block | ||||
---|---|---|---|---|
| ||||
void f(void) { if (sizeof(int) == sizeof(float)) #include <float.h> #include <math.h> #include <stdio.h> void f(void) { float f = 0.0f; float *fpf = &f; printf("float is %f\n", f); (*fp)++; nextafterf(f, FLT_MAX); printf("float is %f\n", f); } } |
Noncompliant Code Example
The programmer in this noncompliant code example is attempting to read from a different union member than the one most recently written to; this is known as type-punning:
Code Block | ||||
---|---|---|---|---|
| ||||
union a_union {
int i;
double d;
};
int f() {
a_union t;
int *ip;
t.d = 3.0;
ip = &t.i;
return *ip;
}
|
However, instead of reading directly from union member, it assigns a pointer ip
to reference the integer value and returns the value referenced by the pointer. Unfortunately, this is a violation of the strict aliasing rules, and in this case the compiler may determine that ip
refers to some value other than the value stored by t.i
and return a value other than the expected value.
Noncompliant Code Example
In this noncompliant code example, access by taking the address, casting the resulting pointer, and dereferencing the result has undefined behavior, even if the cast uses a union type:
Code Block | ||||
---|---|---|---|---|
| ||||
union a_union {
int i;
double d;
};
int f() {
double d = 3.0;
return ((union a_union *) &d)->i;
}
|
Because of optimization, the function f()
may return something other than the expected value.
Compliant Solution
Type-punning is allowed provided the memory is accessed through the union type. This compliant solution returns the expected value:
Code Block | ||||
---|---|---|---|---|
| ||||
union a_union { int i; double d; }; int f() { a_union t; t.d = 3.0; return t.i; } |
Noncompliant Code Example
In this noncompliant code example, an array of two shorts values of type short
is treated as an integer and assigned an integer value. The resulting value of the two shorts is undefinedvalues are indeterminate.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> void func(void) { short a[2]; a[0]=0x1111; a[1]=0x1111; *(int *)a = 0x22222222; /* violation of aliasing rules */ printf("%x %x\n", a[0], a[1]); } |
When translating this code, an implementation can assume that no access through an integer pointer can change the array a
, consisting of shorts. Consequently, printf()
may be called with the original values of a[0]
and a[1]
. The actual behavior is implementation-defined and can change with optimization level.
Implementation Details
Recent versions of GCC turn on the option -fstrict-aliasing
(,
which allows alias-based optimizations) , by default with -O2
. Some architectures then print "1111 1111" as a result. Without optimization, the executable generates the expected output "2222 2222."
To disable optimizations based on alias analysis for faulty legacy code, the option -fno-strict-aliasing
can be used as a workaround. The option -Wstrict-aliasing
(,
which is included in -Wall
) ,
warns about some, but not all, violations of aliasing rules when -fstrict-aliasing
is active.
When GCC 3.4.6 compiles this code with optimization, the assignment through the aliased pointer is effectively eliminated.
Compliant Solution
This compliant solution uses a union
type that includes a type compatible with the effective type of the object:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> void func(void) { union { short a[2]; int i; } u; u.a[0]=0x1111; u.a[1]=0x1111; u.i = 0x22222222; printf("%x %x\n", u.a[0], u.a[1]); /* ... */ } |
The C standard states:
If the member used to read the contents of a union object is not the same as the member last used to store a value in the object, the appropriate part of the object representation of the value is reinterpreted as an object representation in the new type as described in 6.2.6 (a process sometimes called “type punning”). This might be a trap representation
The call to printf()
typically outputs "2222 2222". However, there is no guarantee that this will be true; the object representations of a
and i
are unspecified and need not be compatible in this way, despite this operation being commonly accepted as an implementation extension. (See unspecified behavior 11.)This code example now reliably outputs "2222 2222."
Noncompliant Code Example
In this noncompliant code example, a gadget
object is allocated, then realloc()
is called to create a widget
object using the memory from the gadget
object. While Although reusing memory to change types is acceptable, accessing the memory copied from the original object is undefined behavior.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> struct gadget { int i; double d; char *p; }; struct widget { char *q; int j; double e; }; void func(void) { struct gadget *gp; struct widget *wp; gp = (struct gadget *)malloc(sizeof(struct gadget)); if (!gp) { /* Handle error */ } /* ... Initialize gadget ... */ wp = (struct widget *)realloc(gp, sizeof(struct widget)); if (!wp) { free(gp); /* Handle error */ } if (wp->j == 12) { /* ... */ } /* ... */ free(wp); } |
Compliant Solution
This compliant solution reuses the memory from the gadget
object , but re-initializes reinitializes the memory to a consistent state before reading from it.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> #include <string.h> struct gadget { int i; double d; char *p; }; struct widget { char *q; int j; double e; }; void func(void) { struct gadget *gp; struct widget *wp; gp = (struct gadget *)malloc(sizeof (struct gadget)); if (!gp) { /* Handle error */ } /* ... */ wp = (struct widget *)realloc(gp, sizeof(struct widget)); if (!wp) { free(gp); /* Handle error */ } memset(wp, 0, sizeof(struct widget)); /* ... Initialize widget ... */ if (wp->j == 12) { /* ... */ } /* ... */ free(wp); } |
Noncompliant Code Example
According to the C Standard, 6.7.7.3 [ISO/IEC 9899:2024], using two or more incompatible arrays in an expression is undefined behavior. (See also undefined behavior 73.)
For two array types to be compatible, both should have compatible underlying element types, and both size specifiers should have the same constant value. If either of these properties is violated, the resulting behavior is undefined.
In this noncompliant code example, the two arrays a
and b
fail to satisfy the equal size specifier criterion for array compatibility. Because a
and b
are not equal, writing to what is believed to be a valid member of a
might exceed its defined memory boundary, resulting in an arbitrary memory overwrite.
Code Block | ||||
---|---|---|---|---|
| ||||
enum { ROWS = 10, COLS = 15 };
void func(void) {
int a[ROWS][COLS];
int (*b)[ROWS] = a;
} |
Most compilers will produce a warning diagnostic if the two array types used in an expression are incompatible.
Compliant Solution
In this compliant solution, b
is declared to point to an array with the same number of elements as a
, satisfying the size specifier criterion for array compatibility:
Code Block | ||||
---|---|---|---|---|
| ||||
enum { ROWS = 10, COLS = 15 };
void func(void) {
int a[ROWS][COLS];
int (*b)[COLS] = a;
} |
Risk Assessment
Optimizing for performance can lead to aliasing errors that can be quite difficult to detect. Furthermore, as in the preceding example, unexpected results can lead to buffer overflow attacks and/or , bypassing security checks and/, or unexpected execution.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP39-C |
Medium |
Unlikely |
High | P2 | L3 |
Automated Detection
Related Guidelines
Cppcheck Premium |
| premium-cert-exp39-c | Partially implemented | ||||||
Helix QAC |
| C0310, C0751, C3305 C++3017, C++3030, C++3033 | |||||||
Klocwork |
| MISRA.CAST.FUNC_PTR.2012 | |||||||
LDRA tool suite |
| 94 S, 554 S | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-EXP39-a | There shall be no implicit conversions from integral to floating type | ||||||
Polyspace Bug Finder |
| Checks for cast to pointer pointing to object of different type (rule partially covered) | |||||||
PVS-Studio |
| V580 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TS 17961 |
Accessing an object through a pointer to an incompatible type [ptrcomp] | Prior to 2018-01-12: CERT: Unspecified Relationship | |
CWE 2.11 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2017-05-18: CERT: Partial overlap |
CWE 2.11 | CWE-125, Out-of-bounds Read | 2017-05-18: CERT: Partial overlap |
CWE 2.11 | CWE-704 | 2017-06-14: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-119 and EXP39-C
Independent( ARR30-C, ARR38-C, ARR32-C, INT30-C, INT31-C, EXP39-C, EXP33-C, FIO37-C) STR31-C = Subset( Union( ARR30-C, ARR38-C)) STR32-C = Subset( ARR38-C)
Intersection( EXP39-C, CWE-119) =
- Reading memory assigned to one type, but being accessed through a pointer to a larger type.
EXP39-C – CWE-119 =
- Writing to memory assigned to one type, but accessed through a pointer to a larger type
- Reading memory assigned to one type, but being accessed through a pointer to a smaller (or equal-sized) type
CWE-119 – EXP39-C =
- Reading beyond a buffer using a means other than accessing a variable through an incompatible pointer.
CWE-123 and EXP39-C
Intersection( CWE-123, EXP39-C) = Ø
EXP39-C allows overflowing a (small) buffer, but not arbitrary memory writes. (Possibly an arbitrary-memory write exploit could be devised using a “perfect storm” of incompatible types, but this would be uncommon in practice.)
CWE-125 and EXP39-C
Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C) STR31-C = Subset( Union( ARR30-C, ARR38-C)) STR32-C = Subset( ARR38-C)
Intersection( EXP39-C, CWE-125) =
- Reading memory assigned to one type, but being accessed through a pointer to a larger type.
ESP39-C – CWE-125 =
- Reading memory assigned to one type, but being accessed through a pointer to a smaller (or equal-sized) type
CWE-125 – EXP39-C =
- Reading beyond a buffer using a means other than accessing a variable through an incompatible pointer.
CWE-188 and EXP39-C
Intersection( CWE-188, EXP39-C) = Ø
CWE-188 appears to be about making assumptions about the layout of memory between distinct variables (that are not part of a larger struct or array). Such assumptions typically involve pointer arithmetic (which violates ARR30-C). EXP39-C involves only one object in memory being (incorrectly) interpreted as if it were another object. EG a float being treated as an int (usually via pointers and typecasting)
CWE-704 and EXP39-C
CWE-704 = Union( EXP39-C, list) where list =
- Incorrect (?) typecast that is not incompatible
Bibliography
[Acton 2006] | "Understanding Strict Aliasing" |
GCC Known Bugs | "C Bugs, Aliasing Issues while Casting to Incompatible Types" |
[ISO/IEC 9899: |
2024] |
6.5, "Expressions" 6.7.7.3, "Array Declarators" | |
[Walfridsson 2003] | Aliasing, Pointer Casts and GCC 3.3 |
...