SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 139

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 140

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type (see for rules about adding a pointer to an integer. (See guidelines ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules about adding a pointer to an integer). .) Incrementing is equivalent to adding one.

...

Code Block
bgColor#FFcccc
int si1, si2, sum;

/* Initialize si1 and si2 */

sum = si1 + si2;

Compliant Solution (Pre-

...

Condition Test, Two's Complement)

This compliant solution performs a pre-condition test of the operands of the addition to ensure no overflow occurs, assuming two's complement representation.

...

This compliant solution works only on architectures that use two's complement representation. While most modern platforms use two's complement representation, it is best not to introduce unnecessary platform dependencies. (see See guideline MSC14-C. Do not introduce unnecessary platform dependencies.) . This solution can also be more expensive than a post-condition test, especially on RISC CPUs.

...

Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or between a pointer to an object type and an integer type. See guidelines ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules about pointer subtraction. Decrementing is equivalent to subtracting one.

...

This compliant solution only works on architectures that use two's complement representation. While most modern platforms use two's complement representation, it is best not to introduce unnecessary platform dependencies. (see See guideline MSC14-C. Do not introduce unnecessary platform dependencies.).

Anchor
Multiplication
Multiplication

...

The compliant solution uses a static assertion to ensure that the overflow detection will succeed. See guideline DCL03-C. Use a static assertion to test the value of a constant expression for a discussion of static assertions.

...

Division is between two operands of arithmetic type. Overflow can occur during two's-complement signed integer division when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to — 1. Division operations are also susceptible to divide-by-zero errors. (see See guideline INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors.).

Noncompliant Code Example

...

This compliant solution is based on the fact that both the division and modulo operators truncate towards zero, as specified in a footnote in paragraph 6.5.5 of the C99 standard. This guarantees that:

Code Block
i % j

and

Code Block
i % -j

...

This solution is also compliant with guideline INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT32-C

high

likely

high

P9

L2

Automated Detection

Tool

Version

Checker

Description

Section

Fortify SCA

...

Section

V. 5.0

...

 

Section

can detect violations of this rule with CERT C Rule Pack. Specifically, it checks to ensure that the operand of a unary negation is compared to the type's minimum value immediately before the operation

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : INT32-CPP. Ensure that operations on signed integers do not result in overflow.

This rule appears in the Java Secure Coding Standard as : INT00-J. Perform explicit range checking to ensure integer operations do not overflow.

Bibliography

Wiki Markup
\[[Dowd 062006|AA. Bibliography#Dowd 06]\] Chapter 6, "C Language Issues" (Arithmetic Boundary Conditions, pp. 211-223)
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.5, "Expressions," and Section 7.10, "Sizes of integer types <limits.h>"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "XYY Wrap-around Error"
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 129|http://cwe.mitre.org/data/definitions/129.html], "Unchecked Array Indexing" and [CWE ID 190|http://cwe.mitre.org/data/definitions/190.html], "Integer Overflow (Wrap or Wraparound)"
\[[Seacord 052005|AA. Bibliography#Seacord 05]\] Chapter 5, "Integers"
\[[Viega 052005|AA. Bibliography#Viega 05]\] Section 5.2.7, "Integer overflow"
\[[VU#551436|AA. Bibliography#VU551436]\]
\[[Warren 022002|AA. Bibliography#Warren 02]\] Chapter 2, "Basics"

...