CertC++-CTR55

Do not use an additive operator on an iterator if the result would overflow

Required inputs: IR

Expressions that have an integral type can be added to or subtracted from a pointer, resulting in a value of the pointer type. If the resulting pointer is not a valid member of the container, or one past the last element of the container, the behavior of the additive operator is undefined. The C++ Standard, [expr.add], paragraph 5 [ ISO/IEC 14882-2014], in part, states the following:

If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined.

Because iterators are a generalization of pointers, the same constraints apply to additive operators with random access iterators. Specifically, the C++ Standard, [iterator.requirements.general], paragraph 5, states the following:

Just as a regular pointer to an array guarantees that there is a pointer value pointing past the last element of the array, so for any iterator type there is an iterator value that points past the last element of a corresponding sequence. These values are called past-the-end values. Values of an iterator i for which the expression *i is defined are called dereferenceable. The library never assumes that past-the-end values are dereferenceable.

Do not allow an expression of integral type to add to or subtract from a pointer or random access iterator when the resulting value would overflow the bounds of the container.

Noncompliant Code Example ( std::vector)

In this noncompliant code example, a random access iterator from a  std::vector is used in an additive expression, but the resulting value could be outside the bounds of the container rather than a past-the-end value. 

#include <iostream>
#include <vector>
 
void f(const std::vector<int> &c) {
  for (auto i = c.begin(), e = i + 20; i != e; ++i) {
    std::cout << *i << std::endl;
  }
}
Compliant Solution ( std::vector)

This compliant solution assumes that the programmer's intention was to process up to 20 items in the container. Instead of assuming all containers will have 20 or more elements, the size of the container is used to determine the upper bound on the addition.

#include <algorithm>
#include <vector>

void f(const std::vector<int> &c) {
  const std::vector<int>::size_type maxSize = 20;
  for (auto i = c.begin(), e = i + std::min(maxSize, c.size()); i != e; ++i) {
    // ...
  }
}
Risk Assessment

If adding or subtracting an integer to a pointer results in a reference to an element outside the array or one past the last element of the array object, the behavior is undefined but frequently leads to a buffer overflow or buffer underrun, which can often be exploited to run arbitrary code. Iterators and standard template library containers exhibit the same behavior and caveats as pointers and arrays.

Rule Severity Likelihood Remediation Cost Priority Level
CTR55-CPP High Likely Medium P18 L1
Related Guidelines
SEI CERT C Coding Standard  ARR30-C. Do not form or use out-of-bounds pointers or array subscripts
MITRE CWE CWE 129, Unchecked Array Indexing
Bibliography
[ Banahan 2003] Section 5.3, "Pointers"
Section 5.7, "Expressions Involving Pointers"
[ ISO/IEC 14882-2014] Subclause 5.7, "Additive Operators"
Subclause 24.2.1, "In General"
[ VU#162289]
Excerpt from SEI CERT C++ Coding Standard [https://cmu-sei.github.io/secure-coding-standards/sei-cert-cpp-coding-standard/rules/containers-ctr/ctr55-cpp], Copyright (C) 1995-2026 Carnegie Mellon University. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key

Text

Severity

Disabled

cpp_iterator_addition_initialized_overflow

Iterator ‘{}’ initialized as ‘{}’ adds ‘{}’ which may overflow.

None

False

cpp_iterator_addition_not_initialized

Possibly adding to an uninitialized iterator ‘{}’.

None

False

cpp_iterator_call_addition_initialized_overflow

Iterator from call ‘{}’ adds ‘{}’ which may overflow.

None

False

Options