Page History

...

The following sections examine specific operations that are susceptible to unsigned integer wrap. When operating on small integer types (smaller than int), integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Make sure you understand integer conversion rules before trying to implement secure arithmetic operations. (See guideline recommendation INT02-C. Understand integer conversion rules.)

...

Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type. (See guidelines rules ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules information about adding a pointer to an integer.) Incrementing is equivalent to adding one.

...

Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or between a pointer to an object type and an integer type. See guidelines rules ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules information about pointer subtraction. Decrementing is equivalent to subtracting one.

...

The Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer overflow vulnerability resulting from an unsigned integer wrap during the multiplication of the {{signed int}} value {{pen->num_vertices}} and the {{size_t}} value {{sizeof(cairo_pen_vertex_t)}} \[[VU#551436|AA. Bibliography#VU551436]\].  The {{signed int}} operand is converted to {{size_t}} prior to the multiplication operation so that the multiplication takes place between two {{size_t}} integers, which are unsigned. (See guidelinerecommendation [INT02-C. Understand integer conversion rules].)

...

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: INT30-CPP. Ensure that unsigned integer operations do not wrap

...

Wiki Markup\[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 6, "C Language Issues" (Arithmetic Boundary

Conditions, pp. 211-223) \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.2.5, "Types," Section 6.5, "Expressions," and Section 7.10, "Sizes of integer types {{ <limits.h>"

}}" \[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] TR 24772 "XYY Wrap-around Error"

MITRE CWE: CWE-190, "Integer Overflow (Wrap or Wraparound)"

Bibliography

\[[MITREDowd 20072006|AA. Bibliography#MITREBibliography#Dowd 0706]\] [CWE ID 190|http://cwe.mitre.org/data/definitions/190.html]Chapter 6, "Integer Overflow (Wrap or Wraparound)"C Language Issues" (Arithmetic Boundary Conditions, pp. 211-223)
\[[Seacord 2005|AA. Bibliography#Seacord 05]\] Chapter 5, "Integers"
\[[Viega 2005|AA. Bibliography#Viega 05]\] Section 5.2.7, "Integer overflow"
\[[VU#551436|AA. Bibliography#VU551436]\]
\[[Warren 2002|AA. Bibliography#Warren 02]\] Chapter 2, "Basics"
\[[Wojtczuk 2008|AA. Bibliography#Wojtczuk 08]\]
\[[xorl 2009|AA. Bibliography#xorl 2009]\] ["CVE-2009-1385: Linux kernel E1000 Integer Underflow"|http://xorl.wordpress.com/2009/06/10/cve-2009-1385-linux-kernel-e1000-integer-underflow/]

...