Semmle 1.21
Skip to end of metadata
Go to start of metadata

Name: Suspicious pointer scaling to void

Description: Implicit scaling of pointer arithmetic expressions can cause buffer overflow conditions.

ID: cpp/suspicious-pointer-scaling-void

Kind: problem

Severity: warning

Precision: medium

Query: IncorrectPointerScalingVoid.ql
 * @name Suspicious pointer scaling to void
 * @description Implicit scaling of pointer arithmetic expressions
 *              can cause buffer overflow conditions.
 * @kind problem
 * @problem.severity warning
 * @precision medium
 * @id cpp/suspicious-pointer-scaling-void
 * @tags security
 *       external/cwe/cwe-468
import IncorrectPointerScalingCommon

from Expr dest, Type destType, Type sourceType, Type sourceBase,
     Type destBase, Location sourceLoc
where exists(pointerArithmeticParent(dest))
  and exprSourceType(dest, sourceType, sourceLoc)
  and sourceBase = baseType(sourceType)
  and destType = dest.getFullyConverted().getType()
  and destBase = baseType(destType)
  and destBase.getSize() != sourceBase.getSize()
  and not dest.isInMacroExpansion()

  // Only produce alerts that are not produced by `IncorrectPointerScaling.ql`.
  and (destBase instanceof VoidType)
  "This pointer might have type $@ (size " + sourceBase.getSize() +
  "), but the pointer arithmetic here is done with type void",
  sourceLoc, sourceBase.toString()

Casting arbitrary pointers into void* and then accessing their contents should be done with care. The results may not be portable.

This query finds pointer arithmetic expressions where a pointer to void (or similar) is then cast to another type and dereferenced.

  1. Whenever possible, use the array subscript operator rather than pointer arithmetic. For example, replace *(p+k) with p[k].
  2. Cast to the correct type before using pointer arithmetic. For example, if the type of p is void* but it really points to an array of type double[] then use the syntax (double*)p + k to get a pointer to the k'th element of the array.
  3. If pointer arithmetic must be done with a single-byte width, prefer char * to void *, as pointer arithmetic on void * is a nonstandard GNU extension.

char example1(int i) {
  int intArray[5] = { 1, 2, 3, 4, 5 };
  void *voidPointer = (void *)intArray;
  // BAD: the pointer arithmetic uses type void*, so the offset
  // is not scaled by sizeof(int).
  return *(voidPointer + i);

int example2(int i) {
  int intArray[10] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
  int *intPointer = intArray;
  // GOOD: the offset is automatically scaled by sizeof(int).
  return *(intPointer + i);

  • Common Weakness Enumeration: CWE-468.