Suspicious add with sizeof¶
ID: cpp/suspicious-add-sizeofKind: problemSecurity severity: 8.8Severity: warningPrecision: mediumTags: - security - external/cwe/cwe-468Query suites: - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Pointer arithmetic in C and C++ is automatically scaled according to the size of the data type. For example, if the type ofp isT* andsizeof(T)==4 then the expressionp+1 adds 4 bytes top.
This query finds code of the formp+k*sizeof(T). Such code is usually a mistake because there is no need to manually scale the offset bysizeof(T).
Recommendation¶
Whenever possible, use the array subscript operator rather than pointer arithmetic. For example, replace
*(p+k)withp[k].Cast to the correct type before using pointer arithmetic. For example, if the type of
pischar*but it really points to an array of typedouble[]then use the syntax(double*)p+kto get a pointer to thek’th element of the array.
Example¶
intexample1(inti){intintArray[10]={1,2,3,4,5,6,7,8,9,10};int*intPointer=intArray;// BAD: the offset is already automatically scaled by sizeof(int),// so this code will compute the wrong offset.return*(intPointer+(i*sizeof(int)));}intexample2(inti){intintArray[10]={1,2,3,4,5,6,7,8,9,10};int*intPointer=intArray;// GOOD: the offset is automatically scaled by sizeof(int).return*(intPointer+i);}
References¶
Common Weakness Enumeration:CWE-468.