Page History

Wiki MarkupConversions can occur explicitly as the result of a cast or implicitly as required by an operation. While Although conversions are generally required for the correct execution of a program, they can also lead to lost or misinterpreted data. Conversion of an operand value to a compatible type causes no change to the value or the representation \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\].

The C99 C integer conversion rules define how C compilers handle conversions. These rules include integer promotions, integer conversion rank, and the usual arithmetic conversions. The intent of the rules is to ensure that the conversions result in the same numerical values , and that these values minimize surprises in the rest of the computation. Prestandard C usually preferred to preserve signedness of the type.

...

Integer types smaller than int are promoted when an operation is performed on them. If all values of the original type can be represented as an int, the value of the smaller type is converted to an int; otherwise, it is converted to an unsigned int. Integer promotions are applied as part of the usual arithmetic conversions to certain argument expressions; operands of the unary +, -, and ~ operators, ; and operands of the shift operators. The following code fragment shows the application of integer promotions:

char c1, c2;
c1 = c1 + c2;

Integer promotions require the promotion of each variable (c1 and c2) to int size. The two int values are added, and the sum is truncated to fit into the char type. Integer promotions are performed to avoid arithmetic errors resulting from the overflow of intermediate values:

signed char cresult, c1, c2, c3;
c1 = 100;
c2 = 3;
c3 = 4;
cresult = c1 * c2 / c3;

...

Every integer type has an integer conversion rank that determines how conversions are performed. The ranking is based on the concept that each integer type contains at least as many bits as the types ranked below it. The following rules for determining integer conversion rank are defined in C99the C Standard, subclause 6.3.1.1 [ISO/IEC 9899:2011]:

• No two different signed integer types shall have the same rank, even if they have the same representation.
• The rank of a signed integer type is shall be greater than the rank of any signed integer type with less precision.
• The rank of long long int is shall be greater than the rank of long int, which is shall be greater than the rank of int, which is shall be greater than the rank of short int, which is shall be greater than the rank of signed char.
• The rank of any unsigned integer type is shall equal to the rank of the corresponding signed integer type, if any.
• The rank of any standard integer type is shall be greater than the rank of any extended integer type with the same width.
• The rank of char is shall equal to the rank of signed char and unsigned char.
• The rank of _Bool shall be less than the rank of all other standard integer types.
• The rank of any enumerated type shall equal the rank of the compatible integer type.
• The rank of any extended signed integer type relative to another extended signed integer type with the same precision is implementation-defined but still subject to the other rules for determining the integer conversion rank.
• For all integer types T1, T2, and T3, if T1 has greater rank than T2, and T2 has greater rank than T3, then T1 has greater rank than T3.

The integer conversion rank is used in the usual arithmetic conversions to determine what conversions need to take place to support an operation on mixed integer types.

...

1. If both operands have the same type, no further conversion is needed.
2. If both operands are of the same integer type (signed or unsigned), the operand with the type of lesser integer conversion rank is converted to the type of the operand with greater rank.
3. If the operand that has unsigned integer type has rank greater than or equal to the rank of the type of the other operand, the operand with signed integer type is converted to the type of the operand with unsigned integer type.
4. If the type of the operand with signed integer type can represent all of the values of the type of the operand with unsigned integer type, the operand with unsigned integer type is converted to the type of the operand with signed integer type.
5. Otherwise, both operands are converted to the unsigned integer type corresponding to the type of the operand with signed integer type. Specific operations can add to or modify the semantics of the usual arithmetic operations.

Example

In the following example, assume the code is compiled using an implementation with 8-bit char, 32-bit int, and 64-bit long long:

signed char sc = SCHAR_MAX;
unsigned char uc = UCHAR_MAX;
signed long long sll = sc + uc;

Both the signed char sc and the unsigned char uc are subject to integer promotions in this example. Because all values of the original types can be represented as int, both values are automatically converted to int as part of the integer promotions. Further conversions are possible , if the types of these variables are not equivalent as a result of the usual arithmetic conversions. The actual addition operation, in this case, takes place between the two 32-bit int values. This operation is not influenced by the resulting value being stored in a signed long long integer. The 32-bit value resulting from the addition is simply sign-extended to 64 bits after the addition operation has concluded.

Assuming that the precision of signed char is 7 bits, and the precision of unsigned char is 8 bits, this operation is perfectly safe. However, if the compiler represents the signed char and unsigned char types using 31- and 32-bit precision (respectively), the variable uc would need to be converted to unsigned int, instead of signed int. As a result of the usual arithmetic conversions, the signed int is converted to unsigned, and the addition takes place between the two unsigned int values. Also, because uc is equal to UCHAR_MAX, which is equal to UINT_MAX, the addition results in an overflow in this example. The resulting value is then zero-extended to fit into the 64-bit storage allocated by sll.

Noncompliant Code Example (Comparison)

The program programmer must be careful when performing operations on mixed types. This noncompliant code example shows an idiosyncracy idiosyncrasy of integer promotions.:

int si = -1;
unsigned int ui = 1;
printf("%d\n", si < ui);

In this example, the comparison operator operates on a signed int and an unsigned int. By the conversion rules, si is converted to an unsigned int. Because -1 −1 cannot be represented as an unsigned int value, the -1 −1 is converted to UINT_MAX. This is in accordance with C99the C Standard, Section subclause 6.3.1.3, paragraph 2 , which states[ISO/IEC 9899:2011]:

Otherwise, if the new type is unsigned, the value is converted by repeatedly adding or subtracting one more than the maximum value that can be represented in the new type until the value is in the range of the new type.49)

Consequently, the program prints 0 , because UINT_MAX is not less than 1.

...

The noncompliant code example can be modified to produce the intuitive result by forcing the comparison to be performed using signed int values.:

int si = -1;
unsigned ui = 1;
printf("%d\n", si < (int)ui);

This program prints 1 as expected. Note that (int)ui is correct in this case only because the value of ui is known to be representable as an int. If this it were not known, the compliant solution would need to be written as

int si = /* someSome signed value */;
unsigned ui = /* someSome unsigned value */;
printf("%d\n", (si < 0 || (unsigned)si < ui));

Noncompliant Code Example

This noncompliant code noncompliant code example demonstrates how performing bitwise operations on integer types smaller than int may have unexpected results.:

uint8_t port = 0x5a;
uint8_t result_8 = ( ~port ) >> 4;

In this example, a bitwise complement of port is first computed and then shifted 4 bits to the right. If both of these operations are performed on an 8-bit unsigned integer, then result_8 will have the value 0x0a. However, port is first promoted to a signed int, with the following results (on a typical architecture where type int is 32 bits wide):

Compliant Solution

In this compliant solution, the bitwise complement of port is converted back to 8 bits. Consequently, result_8 is assigned the expected value of 0x0aU.

uint8_t port = 0x5a;
uint8_t result_8 = (uint8_t) (~port) >> 4;

Noncompliant Code Example

In this example, a character is iterated from 0 to CHAR_MAX. However, on a platform where char is signed (such as 32-bit x86), max  is set to 0x80  while i  increments from 0x79  to {{0xffffff80} (aka -127):

#include <limits.h>

unsigned char max = CHAR_MAX + 1;
for (char i = 0; i < max; ++i) {
  printf("i=0x%08x max=0x%08x\n", i, max);
}

Compliant Solution

There are several ways to rectify this example. One way is to treat both chars as unsigned, which prevents wraparound:

#include <limits.h>

unsigned char max = CHAR_MAX + 1;
for (unsigned char i = 0; i < max; ++i) {
  printf("i=0x%08x max=0x%08x\n", i, max);
}

Noncompliant Code Example

This noncompliant code example, adapted from the Cryptography Services blog, demonstrates how signed overflow can occur even when it seems that only unsigned types are in use:

unsigned short x = 45000, y = 50000;
unsigned int z = x * y;

On implementations where short is 16 bits wide and int is 32 bits wide, the program results in undefined behavior due to signed overflow. This is because the unsigned shorts become signed when they are automatically promoted to integer, and their mathematical product (2250000000) is greater than the largest signed 32-bit integer (2³¹ - 1, which is 2147483647).

Compliant Solution

In this compliant solution, by manually casting one of the operands to unsigned int, the multiplication will be unsigned and so will not result in undefined behavior:

unsigned short x = 45000, y = 50000;
unsigned int z = x * (unsigned int)y;

Risk Assessment

Misunderstanding integer conversion rules can lead to errors, which in turn can lead to exploitable vulnerabilities. The major risks occur when narrowing the type (which requires a specific cast or assignment), converting from unsigned to signed, or converting from negative to unsigned.

Automated Detection

Related Vulnerabilities

This vulnerability in Adobe Flash arises because Flash passes a signed integer to calloc(). An attacker has control over this integer and can send negative numbers. Because calloc() takes size_t, which is unsigned, the negative number is converted to a very large number, which is generally too big to allocate, and as a result, calloc() returns NULL, causing the vulnerability to exist.

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

...

...

...

...

...

...

...

...

...

...

...

...

Bibliography

...

...

[Dowd

...

2006

...

]	Chapter 6,

...

"C

...

Language

...

Issues"

...

("Type Conversions," pp. 223–270)
[Seacord 2013]	Chapter 5, "Integer Security"

...

Image Added Image Added Image Added Conversions 223—270) \[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 5, "Integers"Image Removed      04. Integers (INT)      INT03-C. Use a secure integer library