CERT-EXP33-C_a
In this section:
Synopsis
Do not read uninitialized memory.
Enabled by default
Yes
Severity/Certainty
High/Medium
Full description
Uninitialized automatic variables or dynamically allocated memory has indeterminate values, which for objects of some types, can be a trap representation. Reading such trap representations is undefined behavior; it can cause a program to behave in an unexpected manner and provide an avenue for attack.
Coding standards
- CERT EXP33-C
Do not reference uninitialized memory
- CWE 758
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
- CWE 824
Access of Uninitialized Pointer
- CWE 908
Use of Uninitialized Resource
Code examples
The following code example fails the check and will give a warning:
#define NULL 0
void set_flag(int number, int *sign_flag) {
if (NULL == sign_flag) {
return;
}
if (number > 0) {
*sign_flag = 1;
} else if (number < 0) {
*sign_flag = -1;
}
}
int is_negative(int number) {
int sign;
set_flag(number, &sign);
return sign < 0;
}
The following code example passes the check and will not give a warning about this issue:
#define NULL 0
void set_flag(int number, int *sign_flag) {
if (NULL == sign_flag) {
return;
}
/* Account for number being 0 */
if (number >= 0) {
*sign_flag = 1;
} else {
*sign_flag = -1;
}
}
int is_negative(int number) {
int sign = 0; /* Initialize for defense-in-depth */
set_flag(number, &sign);
return sign < 0;
}