Cast from char* to wchar_t*¶
ID: cpp/incorrect-string-type-conversion
Kind: problem
Security severity: 8.8
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-704
Query suites:
- cpp-code-scanning.qls
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
This rule indicates a potentially incorrect cast from an byte string (char *) to a wide-character string (wchar_t *).
This cast might yield strings that are not correctly terminated; including potential buffer overruns when using such strings with some dangerous APIs.
Recommendation¶
Do not explicitly cast byte strings to wide-character strings.
For string literals, prepend the literal string with the letter “L” to indicate that the string is a wide-character string (wchar_t *).
For converting a byte literal to a wide-character string literal, you would need to use the appropriate conversion function for the platform you are using. Please see the references section for options according to your platform.
Example¶
In the following example, an byte string literal ("a") is cast to a wide-character string.
wchar_t* pSrc;
pSrc = (wchar_t*)"a"; // casting a byte-string literal "a" to a wide-character string
To fix this issue, prepend the literal with the letter “L” (L"a") to define it as a wide-character string.
References¶
General resources: std::mbstowcs
Microsoft specific resources: Security Considerations: International Features
Common Weakness Enumeration: CWE-704.