Illegally dereferenced pointer

Pointer is dereferenced outside bounds

expand all in page

Description

This check on a pointer dereference determines whether the pointer is NULL or points outside its bounds. The check occurs only when you dereference a pointer and not when you reassign to another pointer or pass the pointer to a function.

The check message shows you the pointer offset and buffer size in bytes. A pointer points outside its bounds when the sum of the offset and pointer size exceeds the buffer size.

  • Buffer: When you assign an address to a pointer, a block of memory is allocated to the pointer. You cannot access memory beyond that block using the pointer. The size of this block is the buffer size.

    Sometimes, instead of a definite value, the size can be a range. For instance, if you create a buffer dynamically using malloc with an unknown input for the size, Polyspace® assumes that the array size can take the full range of values allowed by the input data type.

  • Offset: You can move a pointer within the allowed memory block by using pointer arithmetic. The difference between the initial location of the pointer and its current location is the offset.

    Sometimes, instead of a definite value, the offset can be a range. For instance, if you access an array in a loop, the offset changes value in each loop iteration and takes a range of values throughout the loop.

For instance, if the pointer points to an array:

  • The buffer size is the array size.

  • The offset is the difference between the beginning of the array and the current location of the pointer.

Examples

expand all

#define Size 1024

int input(void);

void main() {
    int arr[Size];
    int *p = arr;

    for (int index = 0; index < Size ; index++, p++){
        *p = input();
    }
    *p = input();
}

In this example:

  • Before the for loop, p points to the beginning of the array arr.

  • After the for loop, p points outside the array.

The Illegally dereferenced pointer check on dereference of p after the for loop produces a red error.

Correction — Remove illegal dereference

One possible correction is to remove the illegal dereference of p after the for loop.

#define Size 1024

int input(void);

void main() {
    int arr[Size];
    int *p = arr;
 	
    for (int index = 0; index < Size ; index++, p++) {
        *p = input();
    }
}    
typedef struct S {
    int f1;
    int f2;
    int f3;
} S;

void Initialize(int *ptr) {
    *ptr = 0;
    *(ptr+1) = 0;
    *(ptr+2) = 0;
}

void main(void) {
    S myStruct;
    Initialize(&myStruct.f1);
}

In this example, in the body of Initialize, ptr is an int pointer that points to the first field of the structure. When you attempt to access the second field through ptr, the Illegally dereferenced pointer check produces a red error.

Correction — Avoid memory access outside structure field

One possible correction is to pass a pointer to the entire structure to Initialize.

typedef struct S {
    int f1;
    int f2;
    int f3;
} S;

void Initialize(S* ptr) {
    ptr->f1 = 0;
    ptr->f2 = 0;
    ptr->f3 = 0;
}

void main(void) {
    S myStruct;
    Initialize(&myStruct);
}
#include<stdlib.h>

void main() {
    int *ptr=NULL;
    *ptr=0;
}

In this example, ptr is assigned the value NULL. Therefore when you dereference ptr, the Illegally dereferenced pointer check produces a red error.

Correction — Avoid NULL pointer dereference

One possible correction is to initialize ptr with the address of a variable instead of NULL.

void main() {
    int var;
    int *ptr=&var;
    *ptr=0;
}
int getOffset(void);

void main() {
    int *ptr = (int*) 0 + getOffset();
    if(ptr != (int*)0)
        *ptr = 0;
}

In this example, although an offset is added to (int*) 0, Polyspace does not treat the result as a valid address. Therefore when you dereference ptr, the Illegally dereferenced pointer check produces a red error.

struct flagCollection {
    unsigned int flag1: 1;
    unsigned int flag2: 1;
    unsigned int flag3: 1;
    unsigned int flag4: 1;
    unsigned int flag5: 1;
    unsigned int flag6: 1;
    unsigned int flag7: 1;
};

char getFlag(void);

int main()
{
    unsigned char myFlag = getFlag();
    struct flagCollection* myFlagCollection;
    myFlagCollection = (struct flagCollection *) &myFlag;
    if (myFlagCollection->flag1 == 1)
        return 1;
    return 0;
}

In this example:

  • The fields of flagCollection have type unsigned int. Therefore, a flagCollection structure requires 32 bits of memory in a 32-bit architecture even though the fields themselves occupy 7 bits.

  • When you cast a char address &myFlag to a flagCollection pointer myFlagCollection, you assign only 8 bits of memory to the pointer. Therefore, the Illegally dereferenced pointer check on dereference of myFlagCollection produces a red error.

Correction — Use correct type for bit fields

One possible correction is to use unsigned char as field type of flagCollection instead of unsigned int. In this case:

  • The structure flagCollection requires 8 bits of memory.

  • When you cast the char address &myFlag to the flagCollection pointer myFlagCollection, you also assign 8 bits of memory to the pointer. Therefore, the Illegally dereferenced pointer check on dereference of myFlagCollection is green.

struct flagCollection {
    unsigned char flag1: 1;
    unsigned char flag2: 1;
    unsigned char flag3: 1;
    unsigned char flag4: 1;
    unsigned char flag5: 1;
    unsigned char flag6: 1;
    unsigned char flag7: 1;
};

char getFlag(void);

int main()
{
    unsigned char myFlag = getFlag();
    struct flagCollection* myFlagCollection;
    myFlagCollection = (struct flagCollection *) &myFlag;
    if (myFlagCollection->flag1 == 1)
        return 1;
    return 0;
}
#include <stdlib.h>

void main(void)
{
    char *p = (char*)malloc(1);
    char *q = p;
    *q = 'a';
}

In this example, malloc can return NULL to p. Therefore, when you assign p to q and dereference q, the Illegally dereferenced pointer check produces a red error.

Correction — Check return value of malloc for NULL

One possible correction is to check p for NULL before dereferencing q.

#include <stdlib.h>
void main(void)
{
    char *p = (char*)malloc(1);
    char *q = p;
    if(p!=NULL) *q = 'a';
}
#include <stdlib.h>

enum typeName {CHAR,INT};

typedef struct {
    enum typeName myTypeName;
    union {
        char myChar;
        int myInt;
    } myVar;
} myType;

void main() {
    myType* myTypePtr;
    myTypePtr = (myType*)malloc(sizeof(int) + sizeof(char));
    if(myTypePtr != NULL) {
        myTypePtr->myTypeName = INT;
    }
}

In this example:

  • Because the union myVar has an int variable as a field, it must be assigned 4 bytes in a 32-bit architecture. Therefore, the structure myType must be assigned 4+4 = 8 bytes.

  • malloc returns sizeof(int) + sizeof(char)=4+1=5 bytes of memory to myTypePtr, a pointer to a myType structure. Therefore, when you dereference myTypePtr, the Illegally dereferenced pointer check returns a red error.

Correction — Assign sufficient memory to pointer

One possible correction is to assign 8 bytes of memory to myTypePtr before dereference.

#include <stdlib.h>

enum typeName {CHAR,INT};

typedef struct {
    enum typeName myTypeName;
    union {
        char myChar;
        int myInt;
    } myVar;
} myType;

void main() {
    myType* myTypePtr;
    myTypePtr = (myType*)malloc(sizeof(int) + sizeof(int));
    if(myTypePtr != NULL) {
        myTypePtr->myTypeName = INT;
    }
}
#include <stdlib.h>
typedef struct {
    int length;
    int breadth;
} rectangle;

typedef struct {
    int length;
    int breadth;
    int height;
} cuboid;

void main() {
    cuboid *cuboidPtr = (cuboid*)malloc(sizeof(rectangle));
    if(cuboidPtr!=NULL) {
        cuboidPtr->length = 10;
        cuboidPtr->breadth = 10;
    }
}

In this example, cuboidPtr obtains sufficient memory to accommodate two of its fields. Because the ANSI® C standards do not allow such partial memory allocations, the Illegally dereferenced pointer check on the dereference of cuboidPtr produces a red error.

Correction — Allocate full memory

To observe ANSI C standards, cuboidPtr must be allocated full memory.

#include <stdlib.h>
typedef struct {
    int length;
    int breadth;
} rectangle;

typedef struct {
    int length;
    int breadth;
    int height;
} cuboid;

void main() {
    cuboid *cuboidPtr = (cuboid*)malloc(sizeof(cuboid));
    if(cuboidPtr!=NULL) {
        cuboidPtr->length = 10;
        cuboidPtr->breadth = 10;
    }
}
Correction — Use Polyspace analysis option

You can allow partial memory allocation for structures, yet not have a red Illegally dereferenced pointer error. To allow partial memory allocation, on the Configuration pane, under Check Behavior, select Allow incomplete or partial allocation of structures.

#include <stdlib.h>
typedef struct {
    int length;
    int breadth;
} rectangle;

typedef struct {
    int length;
    int breadth;
    int height;
} cuboid;

void main() {
    cuboid *cuboidPtr = (cuboid*)malloc(sizeof(rectangle));
    if(cuboidPtr!=NULL) {
        cuboidPtr->length = 10;
        cuboidPtr->breadth = 10;
    }
}
#include <stdlib.h>
typedef struct {
    int length;
    int breadth;
} square;


void main() {
    square mySquare;
    char* squarePtr = (char*)&mySquare.length;
//Assign zero to mySquare.length byte by byte
    for(int byteIndex=1; byteIndex<=4; byteIndex++) {
        *squarePtr=0;
        squarePtr++;
    }
//Assign zero to first byte of mySquare.breadth
    *squarePtr=0;
}

In this example, although squarePtr is a char pointer, it is assigned the address of the integer mySquare.length. Because:

  • char occupies 1 byte,

  • int occupies 4 bytes in a 32–bit architecture,

squarePtr can access the four bytes of mySquare.length through pointer arithmetic. But when it accesses the first byte of another field mySquare.breadth, the Illegally dereferenced pointer check produces a red error.

Correction — Assign address of structure instead of field

One possible correction is to assign squarePtr the address of the full structure mySquare instead of mySquare.length. squarePtr can then access all the bytes of mySquare through pointer arithmetic.

#include <stdlib.h>
typedef struct {
    int length;
    int breadth;
} square;


void main() {
    square mySquare;
    char* squarePtr = (char*)&mySquare;
//Assign zero to mySquare.length byte by byte
    for(int byteIndex=1; byteIndex<=4; byteIndex++) {
        *squarePtr=0;
        squarePtr++;
    }
//Assign zero to first byte of mySquare.breadth
    *squarePtr=0;
}
Correction — Use Polyspace analysis option (not available in C++)

You can use a pointer to navigate across the fields of a structure and not produce a red Illegally dereferenced pointer error. To allow such navigation, on the Configuration pane, under Check Behavior, select Enable pointer arithmetic across fields.

This option is not available for C++ projects. In C++, pointer arithmetic becomes nontrivial when dealing with concepts such as polymorphic types.


#include <stdlib.h>
typedef struct {
    int length;
    int breadth;
} square;


void main() {
    square mySquare;
    char* squarePtr = (char*)&mySquare.length;
//Assign zero to mySquare.length byte by byte
    for(int byteIndex=1; byteIndex<=4; byteIndex++) {
        *squarePtr=0;
        squarePtr++;
    }
//Assign zero to first byte of mySquare.breadth
    *squarePtr=0;
}
void func2(int *ptr) {
    *ptr = 0; 
}

int* func1(void) {
    int ret = 0;
    return &ret ;
}
void main(void) {
    int* ptr = func1() ;
    func2(ptr) ;
}

In the following code, ptr points to ret. Because the scope of ret is limited to func1, when ptr is accessed in func2, the access is illegal. The verification produces a red Illegally dereferenced pointer check on *ptr.

By default, Polyspace Code Prover™ does not detect functions returning pointers to local variables. To detect such cases, use the option Detect stack pointer dereference outside scope (-detect-pointer-escape).

Check Information

Group: Static memory
Language: C | C++
Acronym: IDP

See Also

| | |

Topics

Polyspace Code Prover Documentation

Support