Suspicious pointer scalingΒΆ
ID: cpp/suspicious-pointer-scaling
Kind: problem
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-468
Query suites:
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Pointer arithmetic in C and C++ is automatically scaled according to the size of the data type. For example, if the type of p is T* and sizeof(T) == 4 then the expression p+1 adds 4 bytes to p. This can cause a buffer overflow condition if the programmer forgets that they are adding a multiple of sizeof(T), rather than a number of bytes.
This query finds pointer arithmetic expressions where it appears likely that the programmer has forgotten that the offset is automatically scaled.
RecommendationΒΆ
Whenever possible, use the array subscript operator rather than pointer arithmetic. For example, replace
*(p+k)withp[k].Cast to the correct type before using pointer arithmetic. For example, if the type of
pisint*but it really points to an array of typedouble[]then use the syntax(double*)p + kto get a pointer to thekβth element of the array.
ExampleΒΆ
int example1(int i) {
int intArray[10] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
int *intPointer = intArray;
// BAD: the offset is already automatically scaled by sizeof(int),
// so this code will compute the wrong offset.
return *(intPointer + (i * sizeof(int)));
}
int example2(int i) {
int intArray[10] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
int *intPointer = intArray;
// GOOD: the offset is automatically scaled by sizeof(int).
return *(intPointer + i);
}
ReferencesΒΆ
Common Weakness Enumeration: CWE-468.