SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 91

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 92

changes.mady.by.user John Benito

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changes to examples to match new coding guideline, except for the Mozilla examples

...

Code Block
bgColor#FFcccc
langc
unsigned int ui_a;
unsigned int ui_b;
unsigned int usum;

void func(void) {
  /* Initialize ui_a and ui_b */

  usum = ui_a + ui_b;

  /* ... */
}

Compliant Solution (Precondition Test)

...

Code Block
bgColor#ccccff
langc
#include <limits.h>
 
unsigned int ui_a;
unsigned int ui_b;
unsigned int usum;

void func(void) {
  /* Initialize ui_a and ui_b */

  if (UINT_MAX - ui_a < ui_b) {
    /* Handle error condition */
  }
 else {
    usum = ui_a + ui_b;
  }

  /* ... */
}

Compliant Solution (Postcondition Test)

...

Code Block
bgColor#ccccff
langc
unsigned int ui_a;
unsigned int ui_b;
unsigned int usum;

void func(void) {
  /* Initialize ui_a and ui_b */

  usum = ui_a + ui_b;
  if (usum < ui_a) {
    /* Handle error condition */
  }

  /* ... */
}

Anchor
Subtraction
Subtraction

...

Code Block
bgColor#FFcccc
langc
unsigned int ui_a;
unsigned int ui_b;
unsigned int udiff;

void func(void) {
  /* Initialize ui_a and ui_b */

  udiff = ui_a - ui_b;

  /* ... */
}

Compliant Solution (Precondition Test)

...

Code Block
bgColor#ccccff
langc
unsigned int ui_a;
unsigned int ui_b;
unsigned int udiff;

void func(void) {
  /* Initialize ui_a and ui_b */

  if (ui_a < ui_b){
    /* Handle error condition */
  }
 else {
  udiff = ui_a - ui_b;
  }

  /* ... */
}

Compliant Solution (Postcondition Test)

...

Code Block
bgColor#ccccff
langc
unsigned int ui_a;
unsigned int ui_b;
unsigned int udiff;

void func(void) {
  /* Initialize ui_a and ui_b */

  udiff = ui_a - ui_b;
  if (udiff > ui_a) {
    /* Handle error condition */
  }

  /* ... */
}

Anchor
Multiplication
Multiplication

...

Noncompliant Code Example

The Mozilla Foundation Security Advisory 2007-01 describes a heap buffer overflow vulnerability in the Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer overflow vulnerability resulting viewer resulting from an unsigned integer wrap during the multiplication of the signed int value pen->num_vertices and the size_t value sizeof(cairo_pen_vertex_t) [VU#551436]. The signed int operand is converted to size_t prior to the multiplication operation so that the multiplication takes place between two size_t integers, which are unsigned. (See INT02-C. Understand integer conversion rules.)

...

Code Block
bgColor#FFcccc
langc
#include <stdatomic.h>
 
atomic_int i;
int ui_a;

void func(void) {
  atomic_init(&i, 42); 
  /* Initialize i, ui_a */

  atomic_fetch_add(&i, ui_a);
  /* ... */
}

 

Compliant Solution

This compliant solution performs a postcondition test to ensure that the result of the unsigned addition operation to i is not less than the operand ui_a:

 

Code Block
bgColor#ccccff
langc
#include <stdatomic.h>
 
atomic_int i;
int ui_a;

void func(void) {
  /* Initialize ui_a, i */
 
  atomic_fetch_add(&i, ui_a);
  if (atomic_load(&i) < ui_a) {
    /* Handle error condition */
  }
  /* ... */
}

Exceptions

INT30-EX1. Unsigned integers can exhibit modulo behavior (wrapping) only when this behavior is necessary for the proper execution of the program. It is recommended that the variable declaration be clearly commented as supporting modulo behavior and that each operation on that integer also be clearly commented as supporting modulo behavior.

...