Recommendation¶

To check whether an indexi is less than the length of an array, simply compare these two numbers as unsigned integers:i<ARRAY_LENGTH. If the length of the array is defined as the difference between two pointersptr andp_end, writei<p_end-ptr. Ifi is signed, cast it to unsigned in order to guard against negativei. For example, write(size_t)i<p_end-ptr.

Example¶

An invalid check for pointer overflow is most often seen as part of checking whether a numbera is too large by checking first if adding the number toptr goes past the end of an allocation and then checking if adding it toptr creates a pointer so large that it overflows and wraps around.

boolnot_in_range(T*ptr,T*ptr_end,size_ti){returnptr+i>=ptr_end||ptr+i<ptr;// BAD}

In both of these checks, the operations are performed in the wrong order. First, an expression that may cause undefined behavior is evaluated (ptr+i), and then the result is checked for being in range. But once undefined behavior has happened in the pointer addition, it cannot be recovered from: it’s too late to perform the range check after a possible pointer overflow.

While it’s not the subject of this query, the expressionptr+i<ptr_end is also an invalid range check. It’s undefined behavior in C/C++ to create a pointer that points more than one past the end of an allocation.

The next example shows how to portably check whether an unsigned number is outside the range of an allocation betweenptr andptr_end.

boolnot_in_range(T*ptr,T*ptr_end,size_ti){returni>=ptr_end-ptr;// GOOD}

References¶

• Embedded in Academia:Pointer Overflow Checking.

• LWN:GCC and pointer overflows.

• Common Weakness Enumeration:CWE-758.