Page History

According to the C Standard, subclause 7.4.1 paragraph 1 [ISO/IEC 9899:20112024],

The header <ctype.h> declares several functions useful for classifying and mapping characters. In all cases the argument is an int, the value of which shall be representable as an unsigned char or shall equal the value of the macro EOF. If the argument has any other value, the behavior is undefined.

(See also undefined behavior 113.)

Compliance with this This rule is complicated by the fact that applicable only to code that runs on platforms where the char data type can, in any implementation, be signed or unsigned.is defined to have the same range, representation, and behavior as signed char.

Following are the character classification functions that this rule addressesThe following character classification functions are affected:

`isalnum()`	`isalpha()`	`isascii()`^XSI	`isblank()`
`iscntrl()`	`isdigit()`	`isgraph()`	`islower()`
`isprint()`	`ispunct()`	`isspace()`	`isupper()`
`isxdigit()`	`toascii()`^XSI	`toupper()`	`tolower()`

Note: ^XSI denotes an X/Open System Interfaces Extension to ISO/IEC 9945—POSIX. The These functions are not defined by the C Standard.

This rule is a specific instance of STR34-C. Cast characters to unsigned char before converting to larger integer sizes is a generalization of this rule.

Noncompliant Code Example

On implementations where plain char is signed, this code example is noncompliant because the parameter to isspace(), *t, is defined as a const char *, and this value may might not be representable as an unsigned char.:

Code Block

bgColor	#FFcccc
lang	c

#include <ctype.h>
#include <string.h>
 
size_t count_preceding_whitespace(const char *s) {
  const char *t = s;
  size_t length = strlen(s) + 1;
  while (isspace(*t) && (t - s < length)) { 
    ++t;
  }
  return t - s;
}

...

Passing values to character handling functions that cannot be represented as an unsigned char results in undefined program to character handling functions is undefined behavior.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
STR37-C	Low	Unlikely	Low	P3	L3

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

ctype-limits

Partially checked

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-STR37

Fully implemented

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

MISC.NEGCHAR

Negative character value

Compass/ROSE

Could detect violations of this rule by seeing if the argument to a character handling function (listed above) is not an unsigned char

ECLAIR

Include Page

	ECLAIR_V
	ECLAIR_V

CC2.STR37

Fully implemented

PRQA QA-C Include PagePRQA_VPRQA_VSpecial case of STR34-C

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C4413, C4414

C++3051

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

AUTOSAR.STDLIB.CCTYPE.UCHAR
MISRA.ETYPE.ASSIGN.2012

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

663 S

Fully implemented

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-STR37-a

Do not pass incorrect values to ctype.h library functions

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rule STR37-C

Checks for invalid use of standard library integer routine (rule fully covered)

RuleChecker

Include Page

	RuleChecker_V
	RuleChecker_V

ctype-limits

Partially checked

TrustInSoft Analyzer

Include Page

	TrustInSoft Analyzer_V
	TrustInSoft Analyzer_V

valid_char

Partially verified.

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy	Taxonomy item	Relationship
CERT C Secure Coding Standard	STR34-C. Cast characters to unsigned char before converting to larger integer sizes

CERT C++ Secure Coding Standard STR37-CPP. Arguments to character handling functions must be representable as an unsigned char

Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961	Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext]

MITRE CWE

	Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11	CWE-704, Incorrect

type conversion or cast
CWE-686, Function call with incorrect argument type

Type Conversion or Cast

2017-06-14: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-686 and STR37-C

Intersection( CWE-686, STR37-C) = Ø

STR37-C is not about the type of the argument passed (which is signed int), but about the restrictions placed on the value in this type (must be 0-UCHAR_MAX or EOF). I interpret ‘argument type’ to be specific to the C language, so CWE-686 does not apply to incorrect argument values, just incorrect types (which is relatively rare in C, but still possible).

CWE-704 and STR37-C

STR37-C = Subset( STR34-C)

CWE-683 and STR37-C

Intersection( CWE-683, STR37-C) = Ø

STR37-C excludes mis-ordered function arguments (assuming they pass type-checking), because there is no easy way to reliably detect violations of CWE-683.

Bibliography

[ISO/IEC 9899:

2011

2024]

Subclause

7.4.1, "Character Handling <`ctype.h`>"
[Kettlewell 2002]	Section 1.1, "<`ctype.h`> and Characters Types"

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 85

New Version Current

Key

Noncompliant Code Example

Automated Detection

Related Vulnerabilities

Related Guidelines

CERT-CWE Mapping Notes

CWE-686 and STR37-C

CWE-704 and STR37-C

CWE-683 and STR37-C

Bibliography