Skip to main content
GitHub

FIO40-C. Reset strings on fgets() or fgetws() failure

If either of the C Standard fgets() or fgetws() functions fail, the contents of the array being written is indeterminate . (See undefined behavior 175 .)  It is necessary to reset the string to a known value to avoid errors on subsequent string manipulation functions.

Noncompliant Code Example

In this noncompliant code example, an error flag is set if fgets() fails. However, buf is not reset and has indeterminate contents:

Non-compliant code
#include <stdio.h>
 
enum { BUFFER_SIZE = 1024 };
void func(FILE *file) {
  char buf[BUFFER_SIZE];

  if (fgets(buf, sizeof(buf), file) == NULL) {
    /* Set error flag and continue */
  }
}

Compliant Solution

In this compliant solution, buf is set to an empty string if fgets() fails. The equivalent solution for fgetws() would set buf to an empty wide string.

Compliant code
#include <stdio.h>
 
enum { BUFFER_SIZE = 1024 };

void func(FILE *file) {
  char buf[BUFFER_SIZE];

  if (fgets(buf, sizeof(buf), file) == NULL) {
    /* Set error flag and continue */
    *buf = '\0';
  }
}

Exceptions

FIO40-C-EX1: If the string goes out of scope immediately following the call to fgets() or fgetws() or is not referenced in the case of a failure, it need not be reset.

Risk Assessment

Making invalid assumptions about the contents of an array modified by fgets() or fgetws() can result in undefined behavior 175 and abnormal program termination .

Rule Severity Likelihood Detectable Repairable Priority Level
FIO40-C Low Probable Yes Yes P6 L2

Automated Detection

ToolVersionCheckerDescription
Axivion Suite
7.12.0
CertC-FIO40
CodeSonar
9.2p0
LANG.MEM.UVARUninitialized Variable
Cppcheck Premium
24.11.0
premium-cert-fio40-c
Helix QAC
2025.2
DF4861, DF4862, DF4863
LDRA tool suite
9.7.1
44 SEnhanced enforcement
Parasoft C/C++test
2026.1
CERT_C-FIO40-aReset strings on fgets() or fgetws() failure
Polyspace Bug Finder
R2025b
CERT C: Rule FIO40-CChecks for use of indeterminate string (rule partially covered)
PVS-Studio
7.43
V1024

Search for vulnerabilities resulting from the violation of this rule on the CERT website .