The definition of pointer arithmetic from the C++ Standard, [expr.add], paragraph 7 [ISO/IEC 14882-2014], states the following:
For addition or subtraction, if the expressions
PorQhave type “pointer to cvT”, whereTis different from the cv-unqualified array element type, the behavior is undefined. [Note: In particular, a pointer to a base class cannot be used for pointer arithmetic when the array contains objects of a derived class type. —end note]
...
The C++ Standard, [expr.sub], paragraph 11 [ISO/IEC 14882-2014], defines array subscripting as being identical to pointer arithmetic. Specifically, it states the following:
The expression
E1[E2]is identical (by definition) to*((E1)+(E2)).
...
The following code examples assume the following static variables and class definitions:.
| Code Block | ||
|---|---|---|
| ||
int globI;
double globD;
struct S {
int i;
S() : i(globI++) {}
};
struct T : S {
double d;
T() : S(), d(globD++) {}
}; |
...
In this noncompliant code example, the for loop uses array subscripting. Since arry array subscripts are computed using pointer arithmetic, this code also results in undefined behavior.
...
Instead of having an array of objects, an array of pointers solves the problem of the objects being of different sizes, as in this compliant solution:.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <iostream>
// ... definitions for S, T, globI, globD ...
void f(const S * const *someSes, std::size_t count) {
for (const S * const *end = someSes + count; someSes != end; ++someSes) {
std::cout << (*someSes)->i << std::endl;
}
}
int main() {
S *test[] = {new T, new T, new T, new T, new T};
f(test, 5);
for (auto v : test) {
delete v;
}
}
|
...
Using arrays polymorphically can result in memory corruption, which could lead to an attacker being able to execute arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CTR56-CPP | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Axivion Bauhaus Suite |
| CertC++-CTR56 | |||||||
| CodeSonar |
| LANG.STRUCT.PARITH | Pointer Arithmetic | ||||||
| Helix QAC |
| C++3073 | |||||||
| Parasoft C/C++test |
| CERT_CPP-CTR56-a | Don't treat arrays polymorphically | |||||||
| LDRA tool suite |
| 567 S | Enhanced Enforcement | ||||||
| Polyspace Bug Finder |
| CERT C++: CTR56-CPP | Checks for pointer arithmetic on polymorphic object (rule fully covered) | ||||||
| PVS-Studio |
| V777 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 14882-2014] | Subclause 5.7, "Additive Operators" |
| [Lockheed Martin |
| 2005] | AV Rule 96, "Arrays shall not be treated polymorphically" |
| [Meyers |
| 1996] | Item 3, "Never Treat Arrays Polymorphically" |
| [Stroustrup |
| 2006] | "What's Wrong with Arrays?" |
| [Sutter |
| 2004] | Item 100, "Don't Treat Arrays Polymorphically" |
...
...