While it has been common practice to use integers and pointers interchangeably in C, pointer-to-integer and integer-to-pointer conversions are implementation-defined.
Conversions between integers and pointers can have undesired consequences depending on the implementation. According to the C standard, Section 6.3.2.3 [ISO/IEC 9899:2011],
An integer may be converted to any pointer type. Except as previously specified, the result is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
Any pointer type may be converted to an integer type. Except as previously specified, the result is implementation-defined. If the result cannot be represented in the integer type, the behavior is undefined. The result need not be in the range of values of any integer type.
See also undefined behavior 24 of Annex J.
These issues arise because the mapping functions for converting a pointer to an integer or an integer to a pointer must be consistent with the addressing structure of the execution environment. For example, not all machines have a flat memory model.
Noncompliant Code Example
In this noncompliant code example, the pointer ptr
is converted to an integer value. Both a pointer and an int
are assumed to be 32 bits. The high-order 9 bits of the number are used to hold a flag value, and the result is converted back into a pointer.
char *ptr; unsigned int flag; /* ... */ unsigned int number = (unsigned int)ptr; number = (number & 0x7fffff) | (flag << 23); ptr = (char *)number;
A similar scheme was used in early versions of Emacs, limiting its portability and preventing the ability to edit files larger than 8MB.
Please note that this noncompliant code example also violates EXP11-C. Do not make assumptions regarding the layout of structures with bit-fields.
Compliant Solution
Saving a few bits of storage is generally not as important as writing portable code. A struct
can be used to provide room for both the pointer and the flag value. This is portable to machines of different word sizes, both smaller and larger than 32 bits, working even when pointers cannot be represented in any integer type.
struct ptrflag { char *pointer; unsigned int flag :9; } ptrflag; char *ptr; unsigned int flag; /* ... */ ptrflag.pointer = ptr; ptrflag.flag = flag;
Noncompliant Code Example
It is sometimes necessary in low-level kernel or graphics code to access memory at a specific location, requiring a literal integer to pointer conversion. In this noncompliant code, a pointer is set directly to an integer constant, where it is unknown whether the result will be as intended.
unsigned int *ptr = 0xcfcfcfcf;
The result of this assignment is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
Compliant Solution
Adding an explicit cast may help the compiler convert the integer value into a valid pointer.
unsigned int *ptr = (unsigned int *) 0xcfcfcfcf;
Exceptions
INT11-EX1: A null pointer can be converted to an integer; it takes on the value 0. Likewise, a 0 integer can be converted to a pointer; it becomes the null pointer.
INT11-EX2: Any valid pointer to void can be converted to intptr_t
or uintptr_t
and back with no change in value. (This includes the underlying types if intptr_t
and uintptr_t
are typedef
s, and any typedef
s that denote the same types as intptr_t
and uintptr_t
.)
void h(void) { intptr_t i = (intptr_t)(void *)&i; uintptr_t j = (uintptr_t)(void *)&j; void *ip = (void *)i; void *jp = (void *)j; assert(ip == &i); assert(jp == &j); }
Risk Assessment
Converting from pointer to integer or vice versa results in unportable code and may create unexpected pointers to invalid memory locations.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT11-C | low | probable | high | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
9.7.1 | 94 S | Fully implemented | |
Compass/ROSE | |||
PRQA QA-C | Unable to render {include} The included page could not be found. | 0309 (U) | Partially implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: INT11-CPP. Take care when converting from pointer to integer or integer to pointer
ISO/IEC 9899:2011 Section 6.3.2.3, "Pointers"
ISE/IEC TR 17961 (Draft) Converting a pointer to integer or integer to pointer [intptrconv]
ISO/IEC TR 24772 "HFC Pointer casting and pointer type changes"
MITRE CWE: CWE-466, "Return of pointer value outside of expected range"
MITRE CWE: CWE-587, "Assignment of a fixed address to a pointer"