When two pointers are subtracted, both must point to elements of the same array object or just one past the last element of the array object (C Standard, 6.5.6 [ISO/IEC 9899:2011]); the result is the difference of the subscripts of the two array elements. Otherwise, the operation is undefined behavior. (See undefined behavior 48.)
Similarly, comparing pointers using the relational operators <, <=, >=, and > gives the positions of the pointers relative to each other. Subtracting or comparing pointers that do not refer to the same array is undefined behavior. (See undefined behavior 48 and undefined behavior 53.)
Comparing pointers using the equality operators == and != has well-defined semantics regardless of whether or not either of the pointers is null, points into the same object, or points one past the last element of an array object or function.
Noncompliant Code Example
In this noncompliant code example, pointer subtraction is used to determine how many free elements are left in the nums array:
#include <stddef.h>
enum { SIZE = 32 };
void func(void) {
int nums[SIZE];
int end;
int *next_num_ptr = nums;
size_t free_elements;
/* Increment next_num_ptr as array fills */
free_elements = &end - next_num_ptr;
}
This program incorrectly assumes that the nums array is adjacent to the end variable in memory. A compiler is permitted to insert padding bits between these two variables or even reorder them in memory.
Compliant Solution
In this compliant solution, the number of free elements is computed by subtracting next_num_ptr from the address of the pointer past the nums array. While this pointer may not be dereferenced, it may be used in pointer arithmetic.
#include <stddef.h>
enum { SIZE = 32 };
void func(void) {
int nums[SIZE];
int *next_num_ptr = nums;
size_t free_elements;
/* Increment next_num_ptr as array fills */
free_elements = &(nums[SIZE]) - next_num_ptr;
}
Exceptions
ARR36-C-EX1: Comparing two pointers to distinct members of the same struct object is allowed. Pointers to structure members declared later in the structure compare greater-than pointers to members declared earlier in the structure.
Risk Assessment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ARR36-C | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 24.04 | pointer-subtraction | Partially checked |
| Coverity | 2017.07 | MISRA C 2004 17.2 MISRA C 2004 17.3 MISRA C 2012 18.2 MISRA C 2012 18.3 | Implemented |
| LDRA tool suite | 9.7.1 | 437 S, 438 S | Fully implemented |
| Parasoft C/C++test | 9.5 | MISRA2008-5_0_17 | Fully implemented |
| PRQA QA-C | Unable to render {include} The included page could not be found. | 0487, 0513, 2771, 2772, | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | CTR54-CPP. Do not subtract iterators that do not refer to the same container |
| ISO/IEC TS 17961 | Subtracting or comparing two pointers that do not refer to the same array [ptrobj] |
| MITRE CWE | CWE-469, Use of Pointer Subtraction to Determine Size |
Bibliography
| [Banahan 2003] | Section 5.3, "Pointers" Section 5.7, "Expressions Involving Pointers" |
| [ISO/IEC 9899:2011] | 6.5.6, "Additive Operators" |
