STR05-C. Use pointers to const when referring to string literals

The type of a narrow string literal is an array of char , and the type of a wide string literal is an array of wchar_t . However, string literals (of both types) are notionally constant and should consequently be protected by const qualification. This recommendation is a specialization of DCL00-C. Const-qualify immutable objects and also supports STR30-C. Do not attempt to modify string literals .

Adding const qualification may propagate through a program; as const qualifiers are added, still more become necessary. This phenomenon is sometimes called const-poisoning . Const-poisoning can frequently lead to violations of EXP05-C. Do not cast away a const qualification . Although const qualification is a good idea, the costs may outweigh the value in the remediation of existing code.

Noncompliant Code Example (Narrow String Literal)

In this noncompliant code example, the const keyword has been omitted:

char *c = "Hello";

If a statement such as c[0] = 'C' were placed following the declaration in the noncompliant code example, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.

Compliant Solution (Immutable Strings)

In this compliant solution, the characters referred to by the pointer c are const -qualified, meaning that any attempt to assign them to different values is an error:

const char *c = "Hello";

Compliant Solution (Mutable Strings)

In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable char array that has been initialized using the contents of the corresponding string literal:

char c[] = "Hello";

Consequently, a statement such as c[0] = 'C' is valid and behaves as expected.

Noncompliant Code Example (Wide String Literal)

In this noncompliant code example, the const keyword has been omitted:

wchar_t *c = L"Hello";

If a statement such as c[0] = L'C' were placed following this declaration, the code is likely to compile cleanly, but the result of the assignment would be undefined because string literals are considered constant.

Compliant Solution (Immutable Strings)

In this compliant solution, the characters referred to by the pointer c are const -qualified, meaning that any attempt to assign them to different values is an error:

wchar_t const *c = L"Hello";

Compliant Solution (Mutable Strings)

In cases where the string is meant to be modified, use initialization instead of assignment. In this compliant solution, c is a modifiable wchar_t array that has been initialized using the contents of the corresponding string literal:

wchar_t c[] = L"Hello";

Consequently, a statement such as c[0] = L'C' is valid and behaves as expected.

Risk Assessment

Modifying string literals causes undefined behavior , resulting in abnormal program termination and denial-of-service vulnerabilities .

Recommendation	Severity	Likelihood	Detectable	Repairable	Priority	Level
STR05-C	Low	Unlikely	Yes	Yes	P3	L3

Automated Detection

Tool	Version	Checker	Description
Astrée	25.10	literal-assignment	Fully checked
Axivion Bauhaus Suite	7.2.0	CertC-STR05
Clang	3.9	`-Ww rite-strings`	Not enabled by `-Weverything`
CodeSonar	9.1p0	LANG.TYPE.NCS	Non-const string literal
Compass/ROSE
ECLAIR	1.2	CC2.STR05	Fully implemented
GCC	4.3.5	`-Ww rite-strings`
Helix QAC	2025.2	C0752, C0753
Klocwork	2025.2	MISRA.STRING_LITERAL.NON_CONST.2012
LDRA tool suite	9.7.1	623 S	Fully implemented
Parasoft C/C++test	2025.2	CERT_C-STR05-a	A string literal shall not be modified
PC-lint Plus	1.4	1776	Fully supported
RuleChecker	25.10	literal-assignment	Fully checked
Security Reviewer - Static Reviewer	6.02	RTOS_31	Fully implemented

Search for vulnerabilities resulting from the violation of this rule on the CERT website .

Bibliography

[ Corfield 1993 ]
[ Lockheed Martin 2005 ]	AV Rule 151.1