Bitwise operators include the complement operator
~, bitwise shift operators
<<, bitwise AND operator
&, bitwise exclusive OR operator
^, bitwise inclusive OR operator
| and compound assignment operators >>=, <<=, &=, ^= and |=. Bitwise operators should be used only with unsigned integer operands, as the results of bitwise operations on signed integers are implementation-defined.
The C11 standard, section 6.5, paragraph 4 [ISO/IEC 9899:2011], states:
Some operators (the unary operator ~ , and the binary operators <<, >>, &, ^, and |, collectively described as bitwise operators) shall have operands that have integral type. These operators return values that depend on the internal representations of integers, and thus have implementation-defined and undefined aspects for signed types.
Furthermore, the bitwise shift operators << and
>> are undefined under many circumstances, and are implementation-defined for signed integers for more circumstances; see rule INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand for more information.
The Microsoft C compiler documentation says that:
Bitwise operations on signed integers work the same as bitwise operations on unsigned integers.
On-line GCC documentation about the implementation of bitwise operations on signed integers says:
Bitwise operators act on the representation of the value including both the sign and value bits, where the sign bit is considered immediately above the highest-value value bit.
Noncompliant Code Example (Right Shift)
The right-shift operation may be implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If
E1 in the expression
E1 >> E2 has a signed type and a negative value, the resulting value is implementation-defined. Also, a bitwise shift can result in undefined behavior. (See INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.)
In this example,
stringify >> 24 evaluates to
0xFFFFFF80, or 4,294,967,168. When converted to a string, the resulting value
"4294967168" is too large to store in
buf and is truncated by
If this code had been implemented using
sprintf() instead of
snprintf(), this noncompliant code example would have resulted in a buffer overflow.
Compliant Solution (Right Shift)
In this compliant solution,
stringify is declared as an
unsigned integer. The value of the result of the right-shift operation is the integral part of the quotient of
/ 2 ^ 24:
Also, consider using the
sprintf_s() function, defined in ISO/IEC TR 24731-1, instead of
snprintf() to provide some additional checks. (See STR07-C. Use the bounds-checking interfaces for string manipulation.)
INT13-C-EX1: When used as bit flags, it is acceptable to use preprocessor macros or enumeration constants as arguments to the
| operators even if the value is not explicitly declared as unsigned.
INT13-C-EX2: If the right-side operand to a shift operator is known at compile time, it is acceptable for the value to be represented with a signed type provided it is positive.
Performing bitwise operations on signed numbers can lead to buffer overflows and the execution of arbitrary code by an attacker in some cases, unexpected or implementation-defined behavior in others.
|Axivion Bauhaus Suite|
|LANG.TYPE.IOT||Inappropriate operand type|
Can detect violations of this rule. In particular, it flags bitwise operations that involved variables not declared with
C4532, C4533, C4534, C4543, C4544
|LDRA tool suite|
|CERT_C-INT13-a||Bitwise operators shall only be applied to operands of unsigned underlying type|
Partially supported: reports use of a bitwise operator on an expression with a signed MISRA C 2004 underlying type
Checks for bitwise operation on negative value (rec. fully covered)
|SonarQube C/C++ Plugin|
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
|SEI CERT C++ Coding Standard||VOID INT13-CPP. Use bitwise operators only on unsigned operands|
|ISO/IEC TR 24772:2013||Bit Representations [STR]|
Arithmetic Wrap-around Error [FIF]
Sign Extension Error [XZI]
|MITRE CWE||CWE-682, Incorrect calculation|
|[Dowd 2006]||Chapter 6, "C Language Issues"|
|[C99 Rationale 2003]||Subclause 6.5.7, "Bitwise Shift Operators"|