Pointers in C — Preventing Use-After-Free Crashes

Every time you run a C program, the operating system hands it a chunk of memory. Variables live in that memory, each one sitting at a specific address — like houses on a street. Pointers let you work with those addresses directly, and that capability is the single reason C can do things most high-level languages can't: build operating systems, write device drivers, manage memory with surgical precision, and pass huge data structures around without copying a single byte.

What a Pointer Actually Is — Memory Addresses Made Concrete

When you declare int temperature = 72;, C reserves 4 bytes somewhere in memory and stores the value 72 there. That location has an address — think of it as a number like 0x7ffd3a2c. A pointer is a variable whose job is to hold that address.

The & operator gives you the address of any variable. The * operator — called the dereference operator — goes the other way: given an address, it gives you the value sitting at that address. These two operators are inverses of each other, and once that clicks, the rest of pointers makes sense.

Pointer types matter because the compiler needs to know how many bytes to read starting from an address. A char reads 1 byte, an int reads 4, a double* reads 8. The type encodes that byte‑width contract.

#include <stdio.h>

int main(void) {
    int temperature = 72;          // a normal int living somewhere in memory
    int *temp_ptr = &temperature;  // temp_ptr holds the ADDRESS of temperature

    printf("Value of temperature    : %d\n", temperature);
    printf("Address of temperature  : %p\n", (void *)&temperature);
    printf("What temp_ptr holds     : %p\n", (void *)temp_ptr);   // same address
    printf("Value via dereference   : %d\n", *temp_ptr);          // goes to that address, reads value

    // Changing the value THROUGH the pointer
    *temp_ptr = 98;  // we went to the address and wrote a new value
    printf("temperature after *temp_ptr = 98 : %d\n", temperature); // temperature itself changed!

    return 0;
}

Why Pointers Exist — Pass by Reference and Avoiding Costly Copies

C is a pass-by-value language. When you call a function with a variable, C copies that variable. For a single integer, that's fine. But imagine passing a 10,000-element array or a large struct by value on every function call — you'd be copying megabytes of data just to read a few fields. Pointers solve this completely.

By passing a pointer instead of the data, you pass just 8 bytes (on a 64-bit machine) regardless of how big the actual data is. The function then operates on the original data in place. This is what 'pass by reference' means in C — you're passing the address of the original, not a clone.

This pattern shows up everywhere: scanf needs a pointer so it can write back to your variable. qsort takes a comparator that receives pointers so it can compare without copying. String functions like strcpy operate on char* for exactly this reason.

#include <stdio.h>

// WITHOUT a pointer — this does NOT work as intended
void fahrenheit_to_celsius_broken(double fahrenheit) {
    fahrenheit = (fahrenheit - 32.0) * 5.0 / 9.0; // modifies a LOCAL COPY, caller never sees this
}

// WITH a pointer — this writes back to the caller's variable
void fahrenheit_to_celsius(double *fahrenheit_ptr) {
    // dereference to read the value, compute, then write result back to the same address
    *fahrenheit_ptr = (*fahrenheit_ptr - 32.0) * 5.0 / 9.0;
}

int main(void) {
    double boiling_point = 212.0;

    fahrenheit_to_celsius_broken(boiling_point);
    printf("After broken function   : %.2f F\n", boiling_point); // still 212 — unchanged

    fahrenheit_to_celsius(&boiling_point);  // pass the ADDRESS so the function can write back
    printf("After pointer function  : %.2f C\n", boiling_point); // now correctly 100

    return 0;
}

Pointer Arithmetic — How Arrays and Pointers Are the Same Thing

Here's something that surprises most newcomers: in C, an array name is essentially a pointer to its first element. When you write scores[2], the compiler translates that to *(scores + 2) — 'start at the base address, move forward by 2 elements, then dereference.' These are literally identical operations.

Pointer arithmetic is scaled by the type. If int_ptr points at an int (4 bytes), then int_ptr + 1 doesn't add 1 to the address — it adds 4, landing exactly on the next integer. The compiler handles the byte math for you. This is why you must get the pointer type right.

Understanding this relationship is the key to writing efficient string processing, building your own data structures, and reading any C library source code. It's also why C arrays don't carry their own length — they're just a starting address, and the programmer is responsible for knowing where they end.

#include <stdio.h>

int main(void) {
    int daily_steps[5] = {8200, 11500, 6700, 9300, 10100};

    int *cursor = daily_steps;  // array name decays to pointer to first element

    printf("--- Iterating with pointer arithmetic ---\n");
    for (int day = 0; day < 5; day++) {
        // (cursor + day) computes the address of element [day]
        // The +day actually adds (day * sizeof(int)) bytes under the hood
        printf("Day %d: %d steps  (address: %p)\n",
               day + 1,
               *(cursor + day),
               (void *)(cursor + day));
    }

    printf("\n--- Proof that arr[i] and *(arr+i) are identical ---\n");
    printf("daily_steps[3]      = %d\n", daily_steps[3]);
    printf("*(daily_steps + 3)  = %d\n", *(daily_steps + 3)); // exact same result
    printf("*(cursor + 3)       = %d\n", *(cursor + 3));       // and again

    printf("\nAddress gap between elements: %ld bytes\n",
           (long)((cursor + 1) - cursor) * (long)sizeof(int)); // always sizeof(int) = 4

    return 0;
}

Pointers to Pointers and Dynamic Memory — Where Real Power Lives

A pointer is just a variable, and like any variable, it has its own address. A pointer-to-pointer (int **) stores the address of another pointer. This sounds abstract, but it has two very concrete uses: passing a pointer itself by reference so a function can change what it points to, and managing 2D dynamically allocated arrays.

Dynamic memory is where pointers truly shine. malloc returns a pointer to a freshly allocated block on the heap — memory that persists until you explicitly free it with free. This lets you build data structures whose size you don't know at compile time: linked lists, trees, dynamic arrays.

The golden rule of dynamic memory: every malloc must have exactly one free. Miss the free and you leak memory. Free twice and you corrupt the allocator. Free then use and you get undefined behavior. Pointers make this power possible — and make these bugs your responsibility.

#include <stdio.h>
#include <stdlib.h>  // malloc, free, realloc
#include <string.h>  // memset

// Allocates a sensor reading buffer of requested size on the HEAP
// Returns a pointer to the buffer — caller is responsible for freeing it
double *create_sensor_buffer(int capacity) {
    double *buffer = malloc(capacity * sizeof(double)); // ask OS for capacity*8 bytes

    if (buffer == NULL) {  // ALWAYS check — malloc can fail if memory is exhausted
        fprintf(stderr, "ERROR: malloc failed for sensor buffer of size %d\n", capacity);
        return NULL;
    }

    // Initialize all bytes to 0 — malloc does NOT zero memory for you
    memset(buffer, 0, capacity * sizeof(double));
    return buffer;
}

// Demonstrates a double pointer — function needs to CHANGE what the pointer points to
void reassign_buffer(double **buffer_ptr, int new_capacity) {
    free(*buffer_ptr);                              // release the old block
    *buffer_ptr = malloc(new_capacity * sizeof(double)); // point to a new block
    if (*buffer_ptr) memset(*buffer_ptr, 0, new_capacity * sizeof(double));
}

int main(void) {
    int initial_capacity = 3;
    double *readings = create_sensor_buffer(initial_capacity);
    if (readings == NULL) return 1;

    readings[0] = 23.5;  // array indexing works on heap memory exactly like stack arrays
    readings[1] = 24.1;
    readings[2] = 22.8;

    printf("Initial readings: %.1f, %.1f, %.1f\n",
           readings[0], readings[1], readings[2]);
    printf("Buffer lives on heap at: %p\n", (void *)readings);

    // Grow the buffer — reassign_buffer needs **double to change what readings points to
    reassign_buffer(&readings, 6);
    readings[0] = 100.0;  // fresh buffer, old data is gone
    printf("After reassign, readings[0]: %.1f\n", readings[0]);
    printf("Buffer now lives at        : %p\n", (void *)readings); // different address!

    free(readings);      // ALWAYS free heap memory when done
    readings = NULL;     // NULL the pointer immediately — prevents accidental use-after-free

    printf("Buffer freed and pointer nulled.\n");
    return 0;
}

Double Pointers — Using Pointers to Pointers

A pointer to a pointer (int **) stores the address of another pointer. This extra level of indirection is necessary when a function needs to modify the pointer variable in the caller — not just the data it points to, but the pointer itself. Common use cases include:

• Linked list insertion at head: Pass &head (a Node**) so the insertion can update the head pointer to the new node. Without double pointers, the function would only modify a local copy.
• 2D dynamic arrays: int *matrix = malloc(rows sizeof(int*)); then allocate each row. Double pointer is the base.
• Reallocating buffers inside functions: As shown in the previous section, reassign_buffer uses double ** to change the caller's pointer.

Understanding double pointers makes you ready to implement dynamic data structures and to understand function signatures like main(int argc, char **argv) where argv is a pointer to an array of strings.

#include <stdio.h>
#include <stdlib.h>

typedef struct Node {
    int data;
    struct Node *next;
} Node;

// Insert at head – needs Node** to update the head pointer
void insert_at_head(Node **head_ptr, int value) {
    Node *new_node = malloc(sizeof(Node));
    if (new_node == NULL) return;
    new_node->data = value;
    new_node->next = *head_ptr;  // old head becomes second node
    *head_ptr = new_node;        // head now points to new node
}

void print_list(Node *head) {
    for (Node *cur = head; cur != NULL; cur = cur->next)
        printf("%d ", cur->data);
    printf("\n");
}

int main(void) {
    Node *head = NULL;
    insert_at_head(&head, 10);
    insert_at_head(&head, 20);
    insert_at_head(&head, 30);
    printf("List: ");
    print_list(head);

    // Cleanup
    while (head) {
        Node *tmp = head;
        head = head->next;
        free(tmp);
    }
    return 0;
}

Const and Pointers: The 4 Combinations

The const keyword interacts with pointers in four distinct ways. Reading the declaration from right to left is the trick: const int ptr means ptr is a pointer to a constant integer – you can change where ptr points, but you cannot modify the integer through it. int const ptr means ptr is a constant pointer to a integer – you cannot change the address stored in ptr, but you can modify the integer. const int const ptr locks both: the pointer is constant and the data is constant. int ptr is fully mutable.

In APIs, const int signals that a function will not modify the data (read‑only access). int const is rare but useful for hardware registers where you must always point to the same location. Getting these wrong produces compilation errors – a good thing, as the compiler enforces your intent.

#include <stdio.h>

int main(void) {
    int a = 10, b = 20;

    // pointer to const int: can change pointer, cannot change value via pointer
    const int *ptr_to_const = &a;
    // *ptr_to_const = 30;  // ERROR: assignment of read-only location
    ptr_to_const = &b;       // OK – pointer can move

    // const pointer to int: cannot change pointer, can change value
    int *const const_ptr_to_int = &a;
    *const_ptr_to_int = 40;  // OK – value modifiable
    // const_ptr_to_int = &b;  // ERROR: assignment of read-only location

    // const pointer to const int: neither can be changed
    const int *const const_ptr_to_const = &a;
    // *const_ptr_to_const = 50;  // ERROR
    // const_ptr_to_const = &b;   // ERROR

    printf("a = %d, b = %d\n", a, b);
    return 0;
}

Function Pointers and Callbacks in C

A function pointer stores the address of a function – just as a data pointer stores the address of a variable. They are heavily used for callbacks, plugin architectures, and event‑driven systems. The syntax is unusual: int (func_ptr)(int, int) declares a pointer to a function that takes two ints and returns an int. Assign it with func_ptr = &add; (or func_ptr = add; – the & is optional). Call it via (func_ptr)(3, 4) or func_ptr(3, 4).

The standard library qsort uses a function pointer for its comparator callback. This lets you sort any data type without copy‑pasting the sorting algorithm. Function pointers are also the backbone of interrupt vector tables in embedded systems and dynamic dispatch in low‑level OOP implementations.

#include <stdio.h>
#include <stdlib.h>

// Two simple operations
int add(int a, int b) { return a + b; }
int multiply(int a, int b) { return a * b; }

// Comparator for qsort (ascending order)
int compare_int(const void *a, const void *b) {
    int ia = *(const int *)a;
    int ib = *(const int *)b;
    return (ia > ib) - (ia < ib);
}

int main(void) {
    // Function pointer: points to any function with (int, int) → int
    int (*operation)(int, int) = NULL;

    operation = &add;
    printf("Add via function pointer: %d\n", operation(10, 5));

    operation = &multiply;
    printf("Multiply via function pointer: %d\n", operation(10, 5));

    // qsort example
    int values[] = {8, 3, 5, 1, 9};
    size_t n = sizeof(values) / sizeof(values[0]);
    qsort(values, n, sizeof(int), compare_int);

    printf("Sorted array: ");
    for (size_t i = 0; i < n; i++) printf("%d ", values[i]);
    printf("\n");
    return 0;
}

Comprehensive Guide to Special Pointer Types — NULL, Void, Wild, and Dangling

Beyond typed pointers, C has several special pointer categories that every developer must understand to avoid bugs and write robust code.

What to do when each appears in production: - NULL: Add defensive checks — the pointer is intentionally invalid, and a check prevents crash. - *void: Ensure the code that dereferences it knows the actual type. Use static_cast in C++ or explicit cast in C. Prefer typed pointers when possible. - Wild: Run with AddressSanitizer to detect use of uninitialized memory. Always initialize pointers at declaration. - Dangling**: Use tools like Valgrind or ASan to identify use-after-free. Adopt the pattern of setting pointer to NULL immediately after free and check for NULL before use.

Pointer Size on 32-bit vs 64-bit Architectures — What You Need to Know

The size of a pointer on a given platform depends on the address bus width. On 32-bit systems, pointers are 4 bytes (32 bits), limiting addressable memory to 4 GiB. On 64-bit systems, pointers are 8 bytes (64 bits), allowing a vastly larger address space. This matters for memory consumption, struct packing, and portability.

Key implication for structs: On 64-bit, fields after a pointer may be padded to align the pointer to an 8-byte boundary. This can increase struct size unexpectedly. Use #pragma pack or reorder fields to minimize padding.

#include <stdio.h>

int main(void) {
    printf("Pointer sizes (compile with -m32 or -m64 to change):\n");
    printf("sizeof(int*)   = %zu bytes\n", sizeof(int*));
    printf("sizeof(char*)  = %zu bytes\n", sizeof(char*));
    printf("sizeof(void*)  = %zu bytes\n", sizeof(void*));
    printf("sizeof(double*) = %zu bytes\n", sizeof(double*));
    printf("sizeof(int)    = %zu bytes\n", sizeof(int));
    return 0;
}