According to Section 7.4 of C99,
The header
<ctype.h>declares several functions useful for classifying and mapping characters. In all cases the argument is anint, the value of which shall be representable as anunsigned charor shall equal the value of the macroEOF. If the argument has any other value, the behavior is undefined.
This is complicated by the fact that the char data type might, in any implementation, be signed or unsigned.
Non-Compliant Code Example
This non-compliant code example may pass illegal values to the ctype functions.
size_t count_whitespace(const char *s) {
const char *t = s;
while(isspace(*t)) /* possibly *t < 0 */
++t;
return t - s;
}
Compliant Solution 1
Pass character strings around explicitly using unsigned characters.
size_t count_whitespace(const unsigned *s) {
const unsigned char *t = s;
while(isspace(*t))
++t;
return t - s;
}
This approach is inconvenient when you need to interwork with other functions that haven't been designed with this approach in mind, such as the string handling functions found in the standard library [[Kettlewell 02]].
Compliant Solution 2
This compliant solution uses an explicit cast.
size_t count_whitespace(const char *s) {
const char *t = s;
while(isspace((unsigned char)*t))
++t;
return t - s;
}
Risk Assessment
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
INT37-C |
1 (low) |
1 (unlikely) |
3 (low) |
P3 |
L3 |
Examples of vulnerabilities resulting from the violation of this rule can be found on the CERTwebsite.
References
[[ISO/IEC 9899-1999]] Section 7.4, "Character handling <ctype.h>"
[[Kettlewell 02]] Section 1.1, "<ctype.h> And Characters Types"