SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Two consecutive question marks signify the start of a trigraph sequence.

According to the C99 Standard [[ISO/IEC 9899-1999]]:

All occurrences in a source file of the following sequences of three characters (that is, trigraph sequences) are replaced with the corresponding single character.

??=

#

 

??)

]

 

??!

|

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c93c3b97-9b30-4dd9-9fda-3c13d173f4b7"><ac:plain-text-body><![CDATA[

??(

[

 

??'

^

 

??>

}

]]></ac:plain-text-body></ac:structured-macro>

??/

\

 

??<

{

 

??-

~

Non-Compliant Code Example

In this non-compliant code example, a++ is not executed, as the trigraph sequence ??/ is replaced by \, logically putting a++ on the same line as the comment.

// what is the value of a now??/
a++;

Compliant Solution

The following compliant solution eliminates the accidental introduction of the trigraph.

// what is the value of a now?
a++;

Non-Compliant Code Example

This non-compliant code has the trigraph sequence of ??! included, which is replaced by the character |.

size_t i;
/* assignment of i */
if (i > 9000) {
   puts("Over 9000!??!");
}

The above code prints out Over 9000!| if a C99-compliant compiler is used.

Compliant Solution

The compliant solution uses string concatenation to place the two question marks together, because they will be interpreted as beginning a trigraph sequence otherwise.

size_t i;
/* assignment of i */
if (i > 9000) {
   puts("Over 9000!?""?!");
}

The above code will print out Over 9000!??!, as intended.

Implementation Details

Some compilers provide options to warn when trigraphs are encountered, or to disable trigraph expansion.  Use the warning options and ensure your code compiles cleanly (MSC00-A. Compile cleanly at high warning levels)

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

PRE07-A

1 (low)

1 (unlikely)

2 (medium)

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 5.2.1.1, "Trigraph sequences"
[Wikipedia] "C Trigraphs"

PRE06-A. Enclose header file in an inclusion sandwich      01. Preprocessor (PRE)       PRE08-A. Guarantee that header filenames are unique

  • No labels