Page History

Wiki MarkupDo not assume that a right shift operation is implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If {{E1}} in the expression {{E1 >> E2}} has a signed type and a negative value, the resulting value is [implementation-defined|BB. Definitions#implementation-defined behavior] and may be either an arithmetic shift or a logical shift. Also, be careful to avoid [undefined behavior|BB. Definitions#undefined behavior] while performing a bitwise shift \[[shift (see INT36-C. Do not shift a negative number of bits or more bits than exist in the operand]\]).

Non-Compliant Code Example

...

int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24); 
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;

In this example, stringify >> 24 evaluates to 0xFFFFFF80, or 4,294,967,168. When converted to a string, the resulting value "4294967168" is too large to store in buf and is truncated by snprintf().

...

int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", ((stringify >> 24) & 0xff));
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;

Wiki MarkupAlso, consider using {{the sprintf_s()}} function defined in ISO/IEC TR 24731-1 instead of {{snprintf()}} to provide some additional checks (see \[[STR00-A. Use TR 24731 for remediation of existing string manipulation code]]).

Risk Assessment

Improper range checking can lead to buffer overflows and the execution of arbitary arbitrary code by an attacker.

...