SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 92 Next »

According to the C Standard, 7.4 [ISO/IEC 9899:2011],

The header <ctype.h> declares several functions useful for classifying and mapping characters. In all cases the argument is an int, the value of which shall be representable as an unsigned char or shall equal the value of the macro EOF. If the argument has any other value, the behavior is undefined.

See also undefined behavior 113.

This rule is applicable only to code that runs on platforms where the char data type is defined to have the same range, representation, and behavior as signed char.

Following are the character classification functions that this rule addresses:

isalnum()

isalpha()

isascii()XSI

isblank()

iscntrl()

isdigit()

isgraph()

islower()

isprint()

ispunct()

isspace()

isupper()

isxdigit()

toascii()XSI

toupper()

tolower()

XSI denotes an X/Open System Interfaces Extension to ISO/IEC 9945—POSIX. These functions are not defined by the C Standard.

This rule is a specific instance of STR34-C. Cast characters to unsigned char before converting to larger integer sizes.

Noncompliant Code Example

On implementations where plain char is signed, this code example is noncompliant because the parameter to isspace(), *t, is defined as a const char *, and this value might not be representable as an unsigned char:

#include <ctype.h>
#include <string.h>
 
size_t count_preceding_whitespace(const char *s) {
  const char *t = s;
  size_t length = strlen(s) + 1;
  while (isspace(*t) && (t - s < length)) { 
    ++t;
  }
  return t - s;
} 

The argument to isspace() must be EOF or representable as an unsigned char; otherwise, the result is undefined.

Compliant Solution

This compliant solution casts the character to unsigned char before passing it as an argument to the isspace() function:

#include <ctype.h>
#include <string.h>
 
size_t count_preceding_whitespace(const char *s) {
  const char *t = s;
  size_t length = strlen(s) + 1;
  while (isspace((unsigned char)*t) && (t - s < length)) { 
    ++t;
  }
  return t - s;
}

Risk Assessment

Passing values to character handling functions that cannot be represented as an unsigned char to character handling functions is undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR37-C

Low

Unlikely

Low

P3

L3

Automated Detection

Tool

Version

Checker

Description

CodeSonar8.1p0MISC.NEGCHARNegative Character Value

Compass/ROSE

  

Could detect violations of this rule by seeing if the argument to a character handling function (listed above) is not an unsigned char

ECLAIR

1.2

CC2.STR37

Fully implemented

PRQA QA-C
Unable to render {include} The included page could not be found.
4413,4414Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding StandardSTR34-C. Cast characters to unsigned char before converting to larger integer sizes
SEI CERT C++ Coding StandardVOID STR37-CPP. Arguments to character handling functions must be representable as an unsigned char
ISO/IEC TS 17961Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext]
MITRE CWECWE-704, Incorrect Type Conversion or Cast
CWE-686, Function Call with Incorrect Argument Type

Bibliography

[ISO/IEC 9899:2011]7.4, "Character Handling <ctype.h>"
[Kettlewell 2002]Section 1.1, "<ctype.h> and Characters Types"

 

  • No labels