CertC-ARR37

Do not add or subtract an integer to a pointer to a non-array object

Required inputs: IR, StaticSemanticAnalysis

Pointer arithmetic must be performed only on pointers that reference elements of array objects.

The C Standard, 6.5.6 [ ISO/IEC 9899:2011], states the following about pointer arithmetic:

When an expression that has integer type is added to or subtracted from a pointer, the result has the type of the pointer operand. If the pointer operand points to an element of an array object, and the array is large enough, the result points to an element offset from the original element such that the difference of the subscripts of the resulting and original array elements equals the integer expression.

Noncompliant Code Example

This noncompliant code example attempts to access structure members using pointer arithmetic. This practice is dangerous because structure members are not guaranteed to be contiguous.

struct numbers {
  short num_a, num_b, num_c;
};

int sum_numbers(const struct numbers *numb){
  int total = 0;
  const short *numb_ptr;

  for (numb_ptr = &numb->num_a;
       numb_ptr <= &numb->num_c;
       numb_ptr++) {
    total += *(numb_ptr);
  }

  return total;
}

int main(void) {
  struct numbers my_numbers = { 1, 2, 3 };
  sum_numbers(&my_numbers);
  return 0;
}

Compliant Solution

It is possible to use the -> operator to dereference each structure member:

total = numb->num_a + numb->num_b + numb->num_c;

However, this solution results in code that is hard to write and hard to maintain (especially if there are many more structure members), which is exactly what the author of the noncompliant code example was likely trying to avoid.

Compliant Solution

A better solution is to define the structure to contain an array member to store the numbers in an array rather than a structure, as in this compliant solution:

#include <stddef.h>

struct numbers {
  short a[3];
};

int sum_numbers(const short *numb, size_t dim) {
  int total = 0;
  for (size_t i = 0; i < dim; ++i) {
    total += numb[i];
  }

  return total;
}

int main(void) {
  struct numbers my_numbers = { .a[0]= 1, .a[1]= 2, .a[2]= 3};
  sum_numbers(
    my_numbers.a,
    sizeof(my_numbers.a)/sizeof(my_numbers.a[0])
  );
  return 0;
}

Array elements are guaranteed to be contiguous in memory, so this solution is completely portable.

Exceptions

ARR37-C-EX1: Any non-array object in memory can be considered an array consisting of one element. Adding one to a pointer for such an object yields a pointer one element past the array, and subtracting one from that pointer yields the original pointer. This allows for code such as the following:

#include <stdlib.h>
#include <string.h>
 
struct s {
  char *c_str;
  /* Other members */
};
 
struct s *create_s(const char *c_str) {
  struct s *ret;
  size_t len = strlen(c_str) + 1;
  
  ret = (struct s *)malloc(sizeof(struct s) + len);
  if (ret != NULL) {
    ret->c_str = (char *)(ret + 1);
    memcpy(ret + 1, c_str, len);
  }
  return ret;
}

A more general and safer solution to this problem is to use a flexible array member that guarantees the array that follows the structure is properly aligned by inserting padding, if necessary, between it and the member that immediately precedes it.

Risk Assessment

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
ARR37-C	Medium	Probable	Medium	P8	L2

Related Guidelines

Taxonomy	Taxonomy item	Relationship

Bibliography

[ Banahan 2003]	Section 5.3, "Pointers" Section 5.7, "Expressions Involving Pointers"
[ ISO/IEC 9899:2011]	6.5.6, "Additive Operators"
[ VU#162289]

Excerpt from SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition) and SEI CERT C Coding Standard [https://cmu-sei.github.io/secure-coding-standards/sei-cert-c-coding-standard/rules/arrays-arr/arr37-c], Copyright (C) 1995-2026 Carnegie Mellon University. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key	Text	Severity	Disabled
out_of_bounds_nonarray	Pointer arithmetic on {node0} possibly operates on non-array target {name0}	None	False
out_of_bounds_nonarray_arithmetic	Pointer arithmetic on {node0} possibly creates pointer outside of non-array target {name0}	None	False
out_of_bounds_nonarray_arithmetic_undereferenced	Pointer arithmetic on {node0} possibly creates pointer one past non-array target {name0} (but not dereferenced)	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

distinguish_nonarray_access_kinds

distinguish_nonarray_access_kinds : bool = False

If false, the rule reports every finding involving a non-array target using messages of kind out_of_bounds_nonarray. If true, it differentiates these findings using the message kinds out_of_bounds_nonarray_arithmetic (for cases where possibly an invalid pointer is formed), out_of_bounds_nonarray_arithmetic_undereferenced (pointer one past target object is formed, but not dereferenced), and out_of_bounds_nonarray (remaining cases where valid pointers are formed).

 

nonarray_only_report_invalid_pointers

nonarray_only_report_invalid_pointers : bool = False

If true, the rule only reports findings where invalid pointers are formed, using either messages of kind out_of_bounds_nonarray (if option distinguish_nonarray_access_kinds is false) or messages of kind out_of_bounds_nonarray_arithmetic (otherwise).