Page History

The Since std::basic_string is a container of characters, this rule is a specific instance of CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container. As a container, it supports iterators just like other containers in the Standard Template Library. However, the std::basic_string template class has unusual invalidation semantics. According to the The C++ Standard, [string.require], paragraph 5 [ISO/IEC 14882-2014], states the following:

References, pointers, and iterators referring to the elements of a basic_string sequence may be invalidated by the following uses of that basic_string object:

• As an argument to any standard library function taking a reference to non-const basic_string as an argument.
• Calling non-const member functions, except operator[], at, front, back, begin, rbegin, end, and rend.

...

Do not use an invalidated reference, pointer, or iterator because doing so results in undefined behavior. This rule is a specific instance of CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container.

Noncompliant Code Example

This noncompliant code example copies input into a std::string, replacing semicolon (;) characters  characters with spaces. This example is noncompliant because the iterator loc is invalidated after the first call to insert(). The behavior of subsequent calls to insert() is undefined.

#include <string>
 
void f(const std::string &input) {
  std::string email;
  std::string::iterator loc = email.begin();

  // Copy input into email converting ";" to " "
  std::string::iterator loc = email.begin();
  for (auto Ii = input.begin(), Ee = input.end(); Ii != Ee; ++Ii, ++loc) {
    email.insert(loc, *Ii != ';' ? *Ii : ' ');
  }
}

Compliant Solution (std::string::insert())

...

#include <string>
 
void f(const std::string &input) {
  std::string email;
  std::string::iterator loc = email.begin();

  // Copy input into email converting ";" to " "
  std::string::iterator loc = email.begin();
  for (auto Ii = input.begin(), Ee = input.end(); Ii != Ee; ++Ii, ++loc) {
    loc = email.insert(loc, *Ii != ';' ? *Ii : ' ');
  }
}

Compliant Solution (std::replace())

In this This compliant solution , the manual loop is replaced with uses a standard algorithm that performs to perform the replacement. Using generic algorithms is generally When possible, using a generic algorithm is preferable to inventing your own solution when possible.

#include <algorithm>
#include <string>
 
void f(const std::string &input) {
  std::string email{input};
  std::replace(email.begin(), email.end(), ';', ' ');
}

Noncompliant Code Example

In this noncompliant code example, data is invalidated after the call to replace(), and so its use in g() is undefined behavior.

#include <iostream>
#include <string>
 
extern void g(const char *);
 
void f(std::string &exampleString) {
  const char *data = exampleString.data();
  // ...
  exampleString.replace(0, 2, "bb");
  // ...
  g(data);
}

Compliant Solution

In this compliant solution, the pointer to exampleString's internal buffer is not generated until after the modification from replace() has completed.

#include <iostream>
#include <string>

extern void g(const char *);

void f(std::string &exampleString) {
  // ...
  exampleString.replace(0, 2, "bb");
  // ...
  g(exampleString.data());
}

Risk Assessment

Using an invalid reference, pointer, or iterator to a string object could allow an attacker to run arbitrary code.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...

...

Image Modified Image Modified Image Modified