SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 154

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
langc
unsigned short x = 45000, y = 50000;
unsigned int z = x * (unsigned int)y;

Risk Assessment

Misunderstanding e C integer conversion rules define how C compilers handle conversions. These rules include integer promotions, integer conversion rank, and the usual arithmetic conversions. The intent of the rules is to ensure that the conversions result in the same numerical values and that these values minimize surprises in the rest of the computation. Prestandard C usually preferred to preserve signedness of the type.

Risk Assessment

Misunderstanding integer conversion rules can lead to errors, which in turn can lead to exploitable vulnerabilities. The major risks occur when narrowing the type (which requires a specific cast or assignment), converting from unsigned to signed, or converting from negative to unsigned.

can lead to errors, which in turn can lead to exploitable vulnerabilities. The major risks occur when narrowing the type (which requires a specific cast or assignment), converting from unsigned to signed, or converting from negative to unsigned.

Recommendation

Severity

Likelihood

Detectable

Repairable

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT02-C

Medium

Probable

No

MediumNo

P8 P4

L2 L3

Automated Detection


PRECISION.LOSS

52 S, 93 S, 96 S, 101 S, 107 S, 332 S, 334 S, 433 S, 434 S, 446 S, 452 S, 457 S, 458 S

CERT C: Rec. INT02-C

V555, V605, V673, V5006

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.SIZE.TRUNC

LANG.CAST.COERCE

LANG.CAST.VALUE

MISC.MEM.SIZE.TRUNC

Truncation of Allocation Size

Coercion Alters Value

Cast Alters Value

Truncation of Size

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.INT02

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1250, C1251, C1252, C1253, C1256, C1257, C1260, C1263, C1266, C1274, C1290, C1291, C1292, C1293, C1294, C1295, C1296, C1297, C1298, C1299, C1800, C1802, C1803, C1804, C1810, C1811, C1812, C1813, C1820, C1821, C1822, C1823, C1824, C1830, C1831, C1832, C1833, C1834, C1840, C1841, C1842, C1843, C1844, C1850, C1851, C1852, C1853, C1854, C1860, C1861, C1862, C1863, C1864, C1880, C1881, C1882, C2100, C2101, C2102, C2103, C2104, C2105, C2106, C2107, C2109, C2110, C2111, C2112, C2113, C2114, C2115, C2116, C2117, C2118, C2119, C2120, C2122, C2124, C2130, C2132, C2134, C4401, C4402, C4403, C4404, C4405, C4410, C4412, C4413, C4414, C4415, C4420, C4421, C4422, C4423, C4424, C4425, C4430, C4431, C4432, C4434, C4435, C4436, C4437, C4440, C4441, C4442, C4443, C4445, C4446, C4447, C4460, C4461, C4463, C4464, C4470, C4471, C4480, C4481


Klocwork
Include Page
Klocwork_V
Klocwork_V
MISRA.CAST.INT
MISRA.CAST.UNSIGNED_BITS
MISRA.CONV.INT.SIGN
MISRA.CVALUE.IMPL.CAST
MISRA.UMINUS.UNSIGNED		LDRA tool suite
Include Page
LDRA_VLDRA_V
PRECISION.LOSS
LDRA tool suite
Include Page
LDRA_V
LDRA_V


52 S, 93 S, 96 S, 101 S, 107 S, 332 S, 334 S, 433 S, 434 S, 446 S, 452 S, 457 S, 458 S

Fully implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-INT02-a
CERT_C-INT02-b

Implicit conversions from wider to narrower integral type which may result in a loss of information shall not be used
Avoid mixing arithmetic of different precisions in the same expression

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

501, 502, 569, 570, 573,
574, 701, 702, 732, 734,
737

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. INT02-C


Checks for sign change integer conversion overflow (rec. fully supported)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V555, V605, V673, V5006
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

CbOB
CconstVariable
CdLT
CdoubleFree
CduplicateCondition
CE11
CE12
CE13
CE256
CE6
CE6_S
CE7
CfCO
CinvalidLifetime
CinvalidScanfArgType_int
CiRV
CiSFW
CknownConditionTrueFalse
Fully implemented

Fully implemented

Parasoft C/C++test
Include Page
Parasoft_VParasoft_V

CERT_C-INT02-a
CERT_C-INT02-b

Implicit conversions from wider to narrower integral type which may result in a loss of information shall not be used
Avoid mixing arithmetic of different precisions in the same expression

PC-lint Plus
Include Page
PC-lint Plus_VPC-lint Plus_V

501, 502, 569, 570, 573,
574, 701, 702, 732, 734,
737

Partially supported

Polyspace Bug Finder
Include Page
Polyspace Bug Finder_VPolyspace Bug Finder_V

Checks for sign change integer conversion overflow (rec. fully supported)

PVS-Studio
Include Page
PVS-Studio_VPVS-Studio_V

Related Vulnerabilities

This vulnerability in Adobe Flash arises because Flash passes a signed integer to calloc(). An attacker has control over this integer and can send negative numbers. Because calloc() takes size_t, which is unsigned, the negative number is converted to a very large number, which is generally too big to allocate, and as a result, calloc() returns NULL, causing the vulnerability to exist.

...