Suspicious pointer scaling¶
ID: cpp/suspicious-pointer-scalingKind: problemSecurity severity: 8.8Severity: warningPrecision: mediumTags: - security - external/cwe/cwe-468Query suites: - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Pointer arithmetic in C and C++ is automatically scaled according to the size of the data type. For example, if the type ofp isT* andsizeof(T)==4 then the expressionp+1 adds 4 bytes top. This can cause a buffer overflow condition if the programmer forgets that they are adding a multiple ofsizeof(T), rather than a number of bytes.
This query finds pointer arithmetic expressions where it appears likely that the programmer has forgotten that the offset is automatically scaled.
Recommendation¶
Whenever possible, use the array subscript operator rather than pointer arithmetic. For example, replace
*(p+k)withp[k].Cast to the correct type before using pointer arithmetic. For example, if the type of
pisint*but it really points to an array of typedouble[]then use the syntax(double*)p+kto get a pointer to thek’th element of the array.
Example¶
intexample1(inti){intintArray[10]={1,2,3,4,5,6,7,8,9,10};int*intPointer=intArray;// BAD: the offset is already automatically scaled by sizeof(int),// so this code will compute the wrong offset.return*(intPointer+(i*sizeof(int)));}intexample2(inti){intintArray[10]={1,2,3,4,5,6,7,8,9,10};int*intPointer=intArray;// GOOD: the offset is automatically scaled by sizeof(int).return*(intPointer+i);}
References¶
Common Weakness Enumeration:CWE-468.