You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 77 Next »

According to the C Standard, Section 7.4 [ISO/IEC 9899:2011],

The header <ctype.h> declares several functions useful for classifying and mapping characters. In all cases the argument is an int, the value of which shall be representable as an unsigned char or shall equal the value of the macro EOF. If the argument has any other value, the behavior is undefined.

(See also undefined behavior 113  of Appendix J.)

Compliance with this rule is complicated by the fact that the char data type can, in any implementation, be signed or unsigned.

The following character classification functions are affected:

isalnum()

isalpha()

isascii() XSI

isblank()

iscntrl()

isdigit()

isgraph()

islower()

isprint()

ispunct()

isspace()

isupper()

isxdigit()

toascii() XSI

toupper()

tolower()

Note: XSI denotes an X/Open System Interfaces Extension to ISO/IEC 9945—POSIX. The functions are not defined by the C Standard.

STR34-C. Cast characters to unsigned char before converting to larger integer sizes is a generalization of this rule.

Noncompliant Code Example

This noncompliant code example may pass invalid values to the isspace() function:

size_t count_preceding_whitespace(const char *s) {
  const char *t = s;

  /* possibly *t < 0 */
  while (*t && isspace(*t)) {
    ++t;
  }
  return t - s;
}

The argument to isspace() must be EOF or representable as an unsigned char; otherwise, the result is undefined.

Compliant Solution

This compliant solution casts the character to unsigned char before passing it as an argument to the isspace() function:

size_t count_preceding_whitespace(const char *s) {
  const char *t = s;

  while (*t && isspace((unsigned char)*t)) {
    ++t;
  }
  return t - s;
}

Risk Assessment

Passing values to character handling functions that cannot be represented as an unsigned char results in undefined program behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR37-C

low

unlikely

low

P3

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

  

Could detect violations of this rule by seeing if the argument to a character-handling function (listed above) is not an unsigned char

ECLAIR

1.2

CC2.STR37

Fully implemented

PRQA QA-C
Unable to render {include} The included page could not be found.
Special case of STR34Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding StandardSTR37-CPP. Arguments to character handling functions must be representable as an unsigned char
ISO/IEC TS 17961 (Draft)Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext]
MITRE CWECWE-704, Incorrect type conversion or cast
CWE-686, Function call with incorrect argument type

Bibliography

[ISO/IEC 9899:2011]Section 7.4, "Character Handling <ctype.h>"
[Kettlewell 2002]Section 1.1, "<ctype.h> and Characters Types"

 


  • No labels