Pointer arithmetic must be performed only on pointers that reference elements of array objects.

The C Standard, 6.5.6 [ISO/IEC 9899:2011], states the following about pointer arithmetic:

When an expression that has integer type is added to or subtracted from a pointer, the result has the type of the pointer operand. If the pointer operand points to an element of an array object, and the array is large enough, the result points to an element offset from the original element such that the difference of the subscripts of the resulting and original array elements equals the integer expression.

Noncompliant Code Example

This noncompliant code example attempts to access structure members using pointer arithmetic. This practice is dangerous because structure members are not guaranteed to be contiguous.

struct numbers {
  short num_a, num_b, num_c;
};

int sum_numbers(const struct numbers *numb){
  int total = 0;
  const short *numb_ptr;

  for (numb_ptr = &numb->num_a;
       numb_ptr <= &numb->num_c;
       numb_ptr++) {
    total += *(numb_ptr);
  }

  return total;
}

int main(void) {
  struct numbers my_numbers = { 1, 2, 3 };
  sum_numbers(&my_numbers);
  return 0;
}

Compliant Solution

It is possible to use the -> operator to dereference each structure member:

total = numb->num_a + numb->num_b + numb->num_c;

However, this solution results in code that is hard to write and hard to maintain (especially if there are many more structure members), which is exactly what the author of the noncompliant code example was likely trying to avoid.

Compliant Solution

A better solution is to define the structure to contain an array member to store the numbers in an array rather than a structure, as in this compliant solution:

#include <stddef.h>

struct numbers {
  short a[3];
};

int sum_numbers(const short *numb, size_t dim) {
  int total = 0;
  for (size_t i = 0; i < dim; ++i) {
    total += numb[i];
  }

  return total;
}

int main(void) {
  struct numbers my_numbers = { .a[0]= 1, .a[1]= 2, .a[2]= 3};
  sum_numbers(
    my_numbers.a,
    sizeof(my_numbers.a)/sizeof(my_numbers.a[0])
  );
  return 0;
}

Array elements are guaranteed to be contiguous in memory, so this solution is completely portable.

Exceptions

ARR37-C-EX1: Any non-array object in memory can be considered an array consisting of one element. Adding one to a pointer for such an object yields a pointer one element past the array, and subtracting one from that pointer yields the original pointer. This allows for code such as the following:

#include <stdlib.h>
#include <string.h>
 
struct s {
  char *c_str;
  /* Other members */
};
 
struct s *create_s(const char *c_str) {
  struct s *ret;
  size_t len = strlen(c_str) + 1;
   
  ret = (struct s *)malloc(sizeof(struct s) + len);
  if (ret != NULL) {
    ret->c_str = (char *)(ret + 1);
    memcpy(ret + 1, c_str, len);
  }
  return ret;
}

A more general and safer solution to this problem is to use a flexible array member that guarantees the array that follows the structure is properly aligned by inserting padding, if necessary, between it and the member that immediately precedes it.

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR37-C

Medium

Probable

Medium

P8

L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Supported indirectly via MISRA C:2004 Rule 17.4.
Axivion Bauhaus Suite

CertC-ARR37Fully implemented
CodeSonar

LANG.MEM.BO
LANG.MEM.BU
LANG.STRUCT.PARITH
LANG.STRUCT.PBB
LANG.STRUCT.PPE
LANG.MEM.TBA
LANG.MEM.TO
LANG.MEM.TU

Buffer Overrun
Buffer Underrun
Pointer Arithmetic
Pointer Before Beginning of Object
Pointer Past End of Object
Tainted Buffer Access
Type Overrun
Type Underrun

Compass/ROSE



Coverity
ARRAY_VS_SINGLETONImplemented
Helix QAC

DF2930, DF2931, DF2932, DF2933

C++3705, C++3706, C++3707


Klocwork

MISRA.PTR.ARITH.2012


LDRA tool suite
 
567 SPartially implemented
Parasoft C/C++test
CERT_C-ARR37-a

Pointer arithmetic shall not be applied to pointers that address variables of non-array type

PC-lint Plus

2662

Partially supported

Polyspace Bug Finder

CERT C: Rule ARR37-CChecks for invalid assumptions about memory organization (rule partially covered)


RuleChecker


Supported indirectly via MISRA C:2004 Rule 17.4.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

Bibliography

[Banahan 2003]Section 5.3, "Pointers"
Section 5.7, "Expressions Involving Pointers"
[ISO/IEC 9899:2011]6.5.6, "Additive Operators"
[VU#162289]