SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 220

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 221

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The assertion fails if long long has less than twice the width of int. The  UWIDTH() macro and popcount() function are explained in INT19INT35-C. Correctly compute Use correct integer widths.  The following portable compliant solution can be used for on any conforming implementation, including those where this assertion fails:

...

The remainder operator provides the remainder when two operands of integer type are divided. Because many platforms implement remainder and division in the same instruction, the remainder operator has the same possibilities of is also susceptible to arithmetic overflow and division by 0. (See INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors.)

Noncompliant Code Example

Many hardware platforms architectures implement remainder as part of the division operator, which can overflow. Overflow can occur during a remainder operation when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1. This occurs even though the result of such a remainder operation is mathematically 0.

...

This compliant solution tests the remainder operand operands to guarantee there is no possibility of an overflow or a divide-by-zero error:

Code Block
bgColor#ccccff
langc
#include <limits.h>
 
void func(signed long s_a, signed long s_b) {
  signed long result;
  if ((s_b == 0 ) || ((s_a == LONG_MIN) && (s_b == -1))) {
    /* Handle error */
  } else {
    result = s_a % s_b;
  }
  
  /* ... */
}

...

The C Standard, 6.5.7 paragraph 4 [ISO/IEC 9899:2011], states

...

In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a bug (logic error). These issues are covered by INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.

Noncompliant Code Example

This noncompliant code example can result in an unrepresentable value. 

Code Block
bgColor#FFcccc
langc
#include <limits.h>
#include <stddef.h>
#include <inttypes.h>
 
extern size_t popcount(uintmax_t);
#define UWIDTH(umax_value) popcount(umax_value) 

void func(signed long si_a, signed long si_b) {
  signed long result;
  if ((si_a < 0) || (si_b < 0) ||
      (si_b >= UWIDTH(ULONG_MAX)) {
    /* Handle error */
  } else {
    result = si_a << si_b;
  }
 
  /* ... */
}

...

Compliant Solution
This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:
...
CERT C Secure Coding Standard
INT02-C. Understand integer conversion rules
INT19INT35-C. Correctly compute Use correct integer widths
INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors
INT34-C. Do not shift a negative number of bits or more bits than exist in the operand
ARR30-C. Do not form or use out of bounds pointers or array subscripts
ARR36-C. Do not subtract or compare two pointers that do not refer to the same array
ARR37-C. Do not add or subtract an integer to a pointer to a non-array object
MSC15-C. Do not depend on undefined behavior
CON08-C. Do not assume that a group of calls to independently atomic methods is atomic
CERT C++ Secure Coding StandardINT32-CPP. Ensure that operations on signed integers do not result in overflow
CERT Oracle Secure Coding Standard for JavaINT00-J. Perform explicit range checking to avoid integer overflow
ISO/IEC TR 24772:2013Arithmetic Wrap-around Error [FIF]
ISO/IEC TS 17961Overflowing signed integers [intoflow]
MITRE CWECWE-129, Unchecked array indexing
CWE-190, Integer overflow (wrap or wraparound)
...