Signed character data must be converted to unsigned char before being assigned or converted to a larger signed type. Because compilers have the latitude to define char to have the same range, representation, and behavior as either signed char or unsigned char, this rule should be applied to both signed char and (plain) char characters.
This rule is only applicable in only in cases where the character data may contain values that can be interpreted as negative values. For example, if the char type is represented by a two's complement 8-bit value, any character value greater than +127 is interpreted as a negative value.
...
This noncompliant code example is taken from a vulnerability in bash versions 1.14.6 and earlier that resulted in the that led to the release of CERT Advisory CA-1996-22. This vulnerability resulted from the sign extension of character data referenced by the string pointer in the yy_string_get() function in the parse.y module of the bash source code:
...
In this noncompliant example, the result of the cast of *s to unsigned int may result in a value in excess of UCHAR_MAX because of integer promotions, consequently causing the function to violate VOID Guarantee that array indices are within the valid range, leading to undefined behavior.
| Code Block | ||||
|---|---|---|---|---|
| ||||
static const char table[UCHAR_MAX] = { /* ... /* };
int first_not_in_table(const char *str) {
const char *s = str;
for (; *s; ++s) {
if (table[(unsigned)*s] != *s)
return s - str;
return -1;
}
|
...
Tool | Version | Checker | Description | LDRA tool suite|||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Compass/ROSE | Can detect violations of this rule when checking for violations of INT07-C. Use only explicitly signed or unsigned char type for numeric values. | |||||||||||
| LDRA
| LDRA
| 434 Scharcast | Fully implemented. | ||||||||
Fortify SCA | V. 5.0 | Can detect violations of this rule with CERT C Rule Pack. | Compass/ROSE | Can detect violations of this rule when checking for violations of INT07-C. Use only explicitly signed or unsigned char type for numeric values. | ||||||||
GCC | 2.95 and later | Detects objects of type | ||||||||||
| charcast434 S | Fully implemented. | ||||||||||
| PRQA QA-C |
| 3704 | Fully implemented. |
Related Vulnerabilities
CVE-2009-0887 results from a violation of this rule. In Linux PAM (up to version 1.0.3), the libpam implementation of strtok casts a (potentially signed) character to an integer , for use as an index to an array. An attacker can exploit this by vulnerability by inputting a string with non-ASCII characters, causing the cast to result in a negative index and accessing memory outside of the array [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
| ISO/IEC TR 17961 | (Draft) Conversion of signed characters to wider integer types before a check for EOF [signconv] |
| MISRA-C | Rule 6.1 |
...
(required): The plain char type shall be used only for the storage and use of character values |
...
...
...
| Incorrect type conversion or cast |
...
Bibliography
...