SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 104

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 105

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule applies to any InputStream or Reader subclass that provides an implementation of the read() method. This rule is a specific instance of rule NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data.

Noncompliant Code Example (byte)

This noncompliant code example casts the value returned by the read() method directly to a value of type byte and then compares this value with -1 in an attempt to detect the end of the stream.

...

If the read() method encounters a 0xFF byte in the file, this value is indistinguishable from the -1 value used to indicate the end of stream, because the byte value is promoted and sign-extended to an int before being compared with -1. Consequently, the loop can halt prematurely if a 0xFF byte is read.

Compliant Solution (byte)

Use a variable of type int to capture the return value of the byte input method. When the value returned by read() is not -1, it can be safely cast to type byte. When read() returns 0x000000FF, the comparison will test against 0xFFFFFFFF, which evaluates to false.

Code Block
bgColor#ccccff
FileInputStream in;
// initialize stream 
int inbuff;
byte data;
while ((inbuff = in.read()) != -1) { 
  data = (byte) inbuff;
  // ...  
}

Noncompliant Code Example (char)

This noncompliant code example casts the value of type int returned by the read() method directly to a value of type char, which is then compared with -1 in an attempt to detect the end of stream. This conversion leaves the value of data as 0xFFFF (e.g., Character.MAX_VALUE) instead of -1. Consequently, the test for the end of file never evaluates to true.

Code Block
bgColor#FFcccc
FileReader in;
// initialize stream 
char data;
while ((data = (char) in.read()) != -1) { 
  // ... 
}

Compliant Solution (char)

Use a variable of type int to capture the return value of the character input method. When the value returned by read() is not -1, it can be safely cast to type char.

Code Block
bgColor#ccccff
FileReader in;
// initialize stream 
int inbuff;
char data;
while ((inbuff = in.read()) != -1) { 
  data = (char) inbuff;
  // ...  
}

Risk Assessment

Historically, using a narrow type to capture the return value of a byte input method has resulted in significant vulnerabilities, including command injection attacks; see CA-1996-22 advisory. Consequently, the severity of this error is high.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO08-J

high

probable

medium

P12

L1

Automated Detection

Some static analysis tools can detect violations of this rule.

Related Guidelines

CERT C Coding Standard

FIO34-C. Distinguish between characters read from a file and EOF or WEOF

CERT C++ Coding Standard

FIO34-CPP. Use int to capture the return value of character IO functions
FIO35-CPP. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char) 

Bibliography

[API 2006]

Class InputStream

[JLS 2005]

§4.2 Primitive Types and Values

[Pugh 2008]

Waiting for the End

...