According to the C Standard, 7.4 [ISO/IEC 9899:2011],
The header
<ctype.h>
declares several functions useful for classifying and mapping characters. In all cases the argument is anint
, the value of which shall be representable as anunsigned char
or shall equal the value of the macroEOF
. If the argument has any other value, the behavior is undefined.
See also undefined behavior 113.
This rule is applicable only to code that runs on platforms where the char
data type is defined to have the same range, representation, and behavior as signed char
.
Following are the character classification functions that this rule addresses:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
XSI denotes an X/Open System Interfaces Extension to ISO/IEC 9945—POSIX. These functions are not defined by the C Standard.
This rule is a specific instance of STR34-C. Cast characters to unsigned char before converting to larger integer sizes.
Noncompliant Code Example
On implementations where plain char
is signed, this code example is noncompliant because the parameter to isspace()
, *t
, is defined as a const char *
, and this value might not be representable as an unsigned char
:
#include <ctype.h> #include <string.h> size_t count_preceding_whitespace(const char *s) { const char *t = s; size_t length = strlen(s) + 1; while (isspace(*t) && (t - s < length)) { ++t; } return t - s; }
The argument to isspace()
must be EOF
or representable as an unsigned char
; otherwise, the result is undefined.
Compliant Solution
This compliant solution casts the character to unsigned char
before passing it as an argument to the isspace()
function:
#include <ctype.h> #include <string.h> size_t count_preceding_whitespace(const char *s) { const char *t = s; size_t length = strlen(s) + 1; while (isspace((unsigned char)*t) && (t - s < length)) { ++t; } return t - s; }
Risk Assessment
Passing values to character handling functions that cannot be represented as an unsigned char
to character handling functions is undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR37-C | Low | Unlikely | Low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Could detect violations of this rule by seeing if the argument to a character handling function (listed above) is not an | |||
1.2 | CC2.STR37 | Fully implemented | |
PRQA QA-C | Unable to render {include} The included page could not be found. | Special case of STR34-C | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C Secure Coding Standard | STR34-C. Cast characters to unsigned char before converting to larger integer sizes |
CERT C++ Secure Coding Standard | STR37-CPP. Arguments to character handling functions must be representable as an unsigned char |
ISO/IEC TS 17961 | Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext] |
MITRE CWE | CWE-704, Incorrect Type Conversion or Cast CWE-686, Function Call with Incorrect Argument Type |
Bibliography
[ISO/IEC 9899:2011] | 7.4, "Character Handling <ctype.h >" |
[Kettlewell 2002] | Section 1.1, "<ctype.h > and Characters Types" |