[metadata]
id = "ARR36-C"
type = "rule"
category = "ARR"
number = 36
title = "Do not subtract or compare two pointers that do not refer to the same array"
description = """
When two pointers are subtracted, both must point to elements of the same array
object or just one past the last element of the array object (C Standard, 6.5.7
[ISO/IEC 9899:2024]); the result is the difference of the subscripts of the two
array elements. Otherwise, the operation isundefined behavior. (Seeundefined
behavior 45.) Similarly, comparing pointers using the relational
operators<,<=,>=, and>gives the positions of the pointers relative to each
other. Subtracting or comparing pointers that do not refer to the same array is
undefined behavior. (Seeundefined behavior 45andundefined behavior 50.)
Comparing pointers using the equality operators==and!=has well-defined semantics
regardless of whether or not either of the pointers is null, points into the
same object, or points one past the last element of an array object or function.
"""
severity = "Medium"
likelihood = "Probable"
priority = "P4"
level = "L3"
cert_version = "2016 Edition (Wiki)"
last_modified = "Oct 29, 2025"
[rules.cert_c.ARR36-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/ARR36-C.+Do+not+subtract+or+compare+two+pointers+that+do+not+refer+to+the+same+array"
cwe = ["CWE-469"]