SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 55

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Similarly, the std::string::back() and std::string::front() functions are unchecked as they are defined to call through to the appropriate operator[]() overload without  without throwing.

Do not pass an out-of-range value as an argument to std::string::opperatoroperator[](). Similarly, do not call std::string::back() or std::string::front() on an empty string. This rule is a specific instance of CTR50-CPP. Guarantee that container indices and iterators are within the valid range.

...

In this noncompliant code example, the value returned by the call to get_index() may be greater than the number of elements stored in the string, resulting in undefined behavior:.

Code Block
bgColor#FFcccc
langcpp
#include <string>
 
extern std::size_t get_index();
 
void f() {
  std::string s("01234567");
  s[get_index()] = '1';
}

...

This compliant solution uses the std::basic_string::at() function, which behaves in a similar fashion to the index operator[] but throws a std::out_of_range exception if pos >= size():.

Code Block
bgColor#ccccff
langcpp
#include <stdexcept>
#include <string>
extern std::size_t get_index();

void f() {
  std::string s("01234567");
  try {
    s.at(get_index()) = '1';
  } catch (std::out_of_range &) {
    // Handle error
  }
}

...

This compliant solution checks that the value returned by get_index() is within a valid range before calling operator[]():.

Code Block
bgColor#ccccff
langcpp
#include <string>

extern std::size_t get_index();

void f() {
  std::string s("01234567");
  std::size_t i = get_index();
  if (i < s.length()) {
    s[i] = '1';
  } else {
    // Handle error
  }
}

...

Code Block
bgColor#FFcccc
langcpp
#include <string>
#include <locale>

void capitalize(std::string &s) {
  std::locale lloc;
  s.front() = std::use_facet<std::ctype<char>>(lloc).toupper(s.front());
}

Compliant Solution

In this compliant solution, the call to std::string::front() is made only if the string is not empty:.

Code Block
bgColor#ccccff
langcpp
#include <string>
#include <locale>

void capitalize(std::string &s) {
  if (s.empty()) {
    return;
  }

  std::locale lloc;
  s.front() = std::use_facet<std::ctype<char>>(lloc).toupper(s.front());
}

Risk Assessment

Unchecked element access can lead to out-of-bounds bound reads and writes and write-anywhere exploits. These exploits can, in turn, lead to the execution of arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR53-CPP

High

Unlikely

Medium

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page
Astrée_V
Astrée_V

assert_failure

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
LANG.MEM.BU
LANG.MEM.TBA
LANG.MEM.TO
LANG.MEM.TU

Buffer overrun
Buffer underrun
Tainted buffer access
Type overrun
Type underrun
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C++3162, C++3163, C++3164, C++3165


Parasoft C/C++test
9.5BD-PB-OVERF{RD, WR, FMT, NZT} 
Include Page
Parasoft_V
Parasoft_V

CERT_CPP-STR53-a

Guarantee that container indices are within the valid range

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: STR53-CPP

Checks for:

  • Array access out of bounds
  • Array access with tainted index
  • Pointer dereference with tainted offset

Rule partially covered.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardCTR50-CPP. Guarantee that container indices and iterators are within the valid range

Bibliography

[ISO/IEC 14882-2014]

Subclause 21.4.5, "basic_string Element Access"

[Seacord 2013]Chapter 2, "Strings"

...


...

Image Modified Image Modified Image Modified