CWE Rule 176
Description
Improper Handling of Unicode Encoding
Polyspace Implementation
The rule checker checks for these issues:
Buffer cannot hold as many characters as specified
Misuse of narrow or wide character string
Examples
This issue occurs when one of the Windows® API functions for character encoding conversions,
MultiByteToWideChar or WideCharToMultiByte, is
called with an insufficient buffer size.
A buffer overflow can occur if the buffer size in
MultiByteToWideChar or WideCharToMultiByte cannot
hold as many characters as specified.
One possible fix is to ensure that the functions receive a sufficient output buffer size, specified in the correct units:
WideCharToMultiByteexpects the output buffer size in bytes.MultiByteToWideCharexpects the output buffer size in wide characters.
If you do not want to fix the issue, add comments to your result or code. For more information, see:
Address Polyspace Results Through Bug Fixes or Justifications if you review results in the Polyspace Platform user interface
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE
MultiByteToWideChar Buffer Too Small
#include <windows.h>
#include <lm.h>
void getUserInfo(char *username, LPBYTE* info) {
WCHAR unicodeUser[UNLEN+1];
MultiByteToWideChar(0, 0, username, -1, unicodeUser, sizeof(unicodeUser)); // Noncompliant
NetUserGetInfo(NULL, unicodeUser, 2, info);
}
In this example, the function uses
sizeof(unicodeUser) to calculate the buffer size, which gives the
size in bytes instead of the required number of wide characters. This can lead to buffer
overflow.
One possible correction is to replace
sizeof(unicodeUser) with UNLEN+1, which ensures
there is enough space in the buffer to store the longest possible user name plus the
required null-terminator. This ensures the string is properly terminated and prevents
buffer overflow.
#include <windows.h>
#include <lm.h>
void getUserInfo(char *username, LPBYTE* info) {
WCHAR unicodeUser[UNLEN+1];
MultiByteToWideChar(0, 0, username, -1, unicodeUser, UNLEN+1); // Compliant
NetUserGetInfo(NULL, unicodeUser, 2, info);
}This issue occurs when you pass a narrow character string to a wide string function, or a wide character string to a narrow string function. If narrow and wide character strings have the same size on your operating system, Polyspace® does not report a violation.
Using a narrow character string with a wide string function, or vice versa, can result in unexpected or undefined behavior.
If you pass a wide character string to a narrow string function, you can encounter these issues:
Data truncation — If the string contains null bytes, a copy operation using
strncpy()can terminate early.Incorrect string length —
strlen()returns the number of characters of a string up to the first null byte. A wide string can have additional characters after its first null byte.
If you pass a narrow character string to a wide string function, you can encounter this issue:
Buffer overflow — In a copy operation using
wcsncpy(), the destination string might have insufficient memory to store the result of the copy.
Use the narrow string functions with narrow character strings. Use the wide string functions with wide character strings.
strncpy()
#include <string.h>
#include <wchar.h>
void func(void)
{
wchar_t wide_str1[] = L"0123456789";
wchar_t wide_str2[] = L"0000000000";
strncpy((char *)wide_str2, (const char *)wide_str1, 10); // Noncompliant
}In this example, strncpy() copies 10 wide characters from
wide_strt1 to wide_str2. If
wide_str1 contains null bytes, the copy operation can end prematurely
and truncate the wide character string.
wcsncpy() to Copy Wide Character StringsOne possible correction is to use wcsncpy() to copy
wide_str1 to wide_str2.
#include <string.h>
#include <wchar.h>
void func(void)
{
wchar_t wide_str1[] = L"0123456789";
wchar_t wide_str2[] = L"0000000000";
wcsncpy(wide_str2, wide_str1, 10); // Compliant
}Check Information
| Category: Others |
PQL Name: std.cwe_native.R176 |
Version History
Introduced in R2026a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Select a Web Site
Choose a web site to get translated content where available and see local events and offers. Based on your location, we recommend that you select: .
You can also select a web site from the following list
How to Get Best Site Performance
Select the China site (in Chinese or English) for best site performance. Other MathWorks country sites are not optimized for visits from your location.
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)