FIO38-C. Do not copy a FILE object
According to the C Standard, 7.23.3, paragraph 6 [ ISO/IEC 9899:2024 ],
The address of the
FILEobject used to control a stream may be significant; a copy of aFILEobject is not required to serve in place of the original.
Consequently, do not copy a FILE object.
Noncompliant Code Example
This noncompliant code example can fail because a by-value copy of stdout is being used in the call to fputs() :
#include <stdio.h>
int main(void) {
FILE my_stdout = *stdout;
if (fputs("Hello, World!\n", &my_stdout) == EOF) {
/* Handle error */
}
return 0;
}
When compiled under Microsoft Visual Studio 2013 and run on Windows, this noncompliant example results in an "access violation" at runtime.
Compliant Solution
In this compliant solution, a copy of the stdout pointer to the FILE object is used in the call to fputs() :
#include <stdio.h>
int main(void) {
FILE *my_stdout = stdout;
if (fputs("Hello, World!\n", my_stdout) == EOF) {
/* Handle error */
}
return 0;
}
Risk Assessment
Using a copy of a FILE object in place of the original may result in a crash, which can be used in a denial-of-service attack .
| Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
| FIO38-C | Low | Probable | Yes | No | P4 | L3 |
Automated Detection
| Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 25.10 | file-dereference | Partially checked |
| Axivion Bauhaus Suite | 7.2.0 | CertC-FIO38 | Fully implemented |
| Clang | 3.9 | misc-non-copyable-objects | Checked with clang-tidy |
| Compass/ROSE | Can detect simple violations of this rule | ||
| Coverity | 2017.07 | MISRA C 2012 Rule 22.5 | Partially implemented |
| Cppcheck Premium | 24.11.0 | premium-cert-fio38-c | |
| Helix QAC | 2025.2 | C1485, C5028 C++3113, C++3114 | |
| Klocwork | 2025.2 | MISRA.FILE_PTR.DEREF.2012 | |
| LDRA tool suite | 9.7.1 | 591 S | Fully implemented |
| Parasoft C/C++test | 2025.2 | CERT_C-FIO38-a | A pointer to a FILE object shall not be dereferenced |
| PC-lint Plus | 1.4 | 9047 | Partially supported: reports when a FILE pointer is dereferenced |
R2025b | CERT C: Rule FIO38-C | Checks for misuse of a FILE object (rule fully covered) | |
| RuleChecker | 25.10 | file-dereference | Partially checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website .
Related Guidelines
Key here (explains table format and definitions)
| Taxonomy | Taxonomy item | Relationship |
| ISO/IEC TS 17961:2013 | Copying a FILE object [filecpy] | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
| [ ISO/IEC 9899:2024 ] | 7.23.3, "Files" |
