The definition of pointer arithmetic from the C++ Standard, [expr.add], paragraph 7, states [ISO/IEC 14882-2014]:
For addition or subtraction, if the expressions
P
orQ
have type “pointer to cvT
”, whereT
is different from the cv-unqualified array element type, the behavior is undefined. [Note: In particular, a pointer to a base class cannot be used for pointer arithmetic when the array contains objects of a derived class type. —end note]
Pointer arithmetic does not account for polymorphic object sizes, and attempting to perform pointer arithmetic on a polymorphic object value results in undefined behavior.
The C++ Standard, [expr.sub], paragraph 1, defines array subscripting as being identical to pointer arithmetic. Specifically, it states:
The expression
E1[E2]
is identical (by definition) to*((E1)+(E2))
.
Do not use pointer arithmetic, including array subscripting, on polymorphic objects.
Noncompliant Code Example
In this noncompliant code example, f()
accepts an array of S
objects as its first parameter. However, main()
passes an array of T
objects as the first argument to f()
, which results in undefined behavior due to the pointer arithmetic used within the for
loop.
#include <iostream> int GlobI; double GlobD; struct S { int I; S() : I(GlobI++) {} }; struct T : S { double D; T() : S(), D(GlobD++) {} }; void f(const S *SomeSes, std::size_t Count) { for (const S *End = SomeSes + Count; SomeSes != End; ++SomeSes) { std::cout << SomeSes->I << std::endl; } } int main() { T Test[5]; f(Test, 5); }
This example would still be noncompliant if the for
loop had instead been written to use array subscripting, as in the following:
for (std::size_t i = 0; i < Count; ++i) { std::cout << SomeSes[i].I << std::endl; }
Compliant Solution (Array)
Instead of having an array of objects, an array of pointers solves the problem of the objects being of different sizes, as in this compliant solution:
#include <iostream> int GlobI; double GlobD; struct S { int I; S() : I(GlobI++) {} }; struct T : S { double D; T() : S(), D(GlobD++) {} }; void f(const S * const *SomeSes, std::size_t Count) { for (const S * const *End = SomeSes + Count; SomeSes != End; ++SomeSes) { std::cout << (*SomeSes)->I << std::endl; } } int main() { S *Test[] = {new T, new T, new T, new T, new T}; f(Test, 5); for (auto V : Test) { delete V; } }
The elements in the arrays are no longer polymorphic objects (instead, they are pointers to polymorphic objects), and so there is no undefined behavior with the pointer arithmetic.
Compliant Solution (std::vector
)
Another approach is to use a standard template (STL) library container instead of an array and have f()
accept iterators as parameters, as in this compliant solution. However, because STL containers require homogeneous elements, pointers are still required within the container.
#include <iostream> #include <vector> int GlobI; double GlobD; struct S { int I; S() : I(GlobI++) {} }; struct T : S { double D; T() : S(), D(GlobD++) {} }; template <typename Iter> void f(Iter I, Iter E) { for (; I != E; ++I) { std::cout << (*I)->I << std::endl; } } int main() { std::vector<S *> Test{new T, new T, new T, new T, new T}; f(Test.cbegin(), Test.cend()); for (auto V : Test) { delete V; } }
Risk Assessment
Using arrays polymorphically can result in memory corruption, which could lead to an attacker being able to execute arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
CTR56-CPP | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
PRQA QA-C++ | 4.4 | 3072, 3073 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
[ISO/IEC 14882-2014] | 5.7, "Additive Operators" |
[Stroustrup 06] | What's wrong with arrays? |
[Meyers 06] | Item 3: Never treat arrays polymorphically |
[Lockheed Martin 05] | AV Rule 96, Arrays shall not be treated polymorphically |
[Sutter 04] | Item 100: Don't treat arrays polymorphically |