Conversions can occur explicitly as the result of a cast or implicitly as required by an operation. While Although conversions are generally required for the correct execution of a program, they can also lead to lost or misinterpreted data. Conversion of an operand value to a compatible type causes no change to the value or the representation [ISO/IEC 9899:2011].
The C integer conversion rules define how C compilers handle conversions. These rules include integer promotions, integer conversion rank, and the usual arithmetic conversions. The intent of the rules is to ensure that the conversions result in the same numerical values and that these values minimize surprises in the rest of the computation. Prestandard C usually preferred to preserve signedness of the type.
...
Integer promotions require the promotion of each variable (c1 and c2) to int size. The two int values are added, and the sum is truncated to fit into the char type. Integer promotions are performed to avoid arithmetic errors resulting from the overflow of intermediate values:
...
Every integer type has an integer conversion rank that determines how conversions are performed. The ranking is based on the concept that each integer type contains at least as many bits as the types ranked below it. The following rules for determining integer conversion rank are defined in the C standardStandard, Section subclause 6.3.1.1 [ISO/IEC 9899:2011]:
- No two signed integer types shall have the same rank, even if they have the same representation.
- The rank of a signed integer type shall be greater than the rank of any signed integer type with less precision.
- The rank of
long long intshall be greater than the rank oflong int, which shall be greater than the rank ofint, which shall be greater than the rank ofshort int, which shall be greater than the rank ofsigned char. - The rank of any unsigned integer type shall equal the rank of the corresponding signed integer type, if any.
- The rank of any standard integer type shall be greater than the rank of any extended integer type with the same width.
- The rank of
charshall equal the rank ofsigned charandunsigned char. - The rank of
_Boolshall be less than the rank of all other standard integer types. - The rank of any enumerated type shall equal the rank of the compatible integer type.
- The rank of any extended signed integer type relative to another extended signed integer type with the same precision is implementation-defined, but still subject to the other rules for determining the integer conversion rank.
- For all integer types
T1,T2, andT3, ifT1has greater rank thanT2andT2has greater rank thanT3, thenT1has greater rank thanT3.
...
- If both operands have the same type, no further conversion is needed.
- If both operands are of the same integer type (signed or unsigned), the operand with the type of lesser integer conversion rank is converted to the type of the operand with greater rank.
- If the operand that has unsigned integer type has rank greater than or equal to the rank of the type of the other operand, the operand with signed integer type is converted to the type of the operand with unsigned integer type.
- If the type of the operand with signed integer type can represent all of the values of the type of the operand with unsigned integer type, the operand with unsigned integer type is converted to the type of the operand with signed integer type.
- Otherwise, both operands are converted to the unsigned integer type corresponding to the type of the operand with signed integer type. Specific operations can add to or modify the semantics of the usual arithmetic operations.
Example
In the following example, assume the code is compiled using an implementation with 8-bit char, 32-bit int, and 64-bit long long:
...
The programmer must be careful when performing operations on mixed types. This noncompliant code example shows an idiosyncracy idiosyncrasy of integer promotions.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int si = -1;
unsigned int ui = 1;
printf("%d\n", si < ui);
|
In this example, the comparison operator operates on a signed int and an unsigned int. By the conversion rules, si is converted to an unsigned int. Because −1 cannot be represented as an unsigned int value, the −1 is converted to UINT_MAX. This is in accordance with the C Standard, Section subclause 6.3.1.3, para. paragraph 2 [ISO/IEC 9899:2011]:
Otherwise, if the new type is unsigned, the value is converted by repeatedly adding or subtracting one more than the maximum value that can be represented in the new type until the value is in the range of the new type.
Consequently, the program prints 0 , because UINT_MAX is not less than 1.
...
The noncompliant code example can be modified to produce the intuitive result by forcing the comparison to be performed using signed int values.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int si = -1;
unsigned ui = 1;
printf("%d\n", si < (int)ui);
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int si = /* someSome signed value */; unsigned ui = /* someSome unsigned value */; printf("%d\n", (si < 0 || (unsigned)si < ui)); |
Noncompliant Code Example
This noncompliant code noncompliant code example demonstrates how performing bitwise operations on integer types smaller than int may have unexpected results.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
uint8_t port = 0x5a; uint8_t result_8 = ( ~port ) >> 4; |
In this example, a bitwise complement of port is first computed and then shifted 4 bits to the right. If both of these operations are performed on an 8-bit unsigned integer, then result_8 will have the value 0x0a. However, port is first promoted to a signed int, with the following results (on a typical architecture where type int is 32 bits wide):
Expression | Type | Value | Notes |
|---|---|---|---|
|
|
|
|
|
|
|
|
| Whether or not value is negative is implementation-defined |
|
|
|
Compliant Solution
In this compliant solution, the bitwise complement of port is converted back to 8 bits. Consequently, result_8 is assigned the expected value of 0x0aU.
| Code Block | ||||
|---|---|---|---|---|
| ||||
uint8_t port = 0x5a;
uint8_t result_8 = (uint8_t) (~port) >> 4;
|
Noncompliant Code Example
In this example, a character is iterated from 0 to CHAR_MAX. However, on a platform where char is signed (such as 32-bit x86), max is set to 0x80 while i increments from 0x79 to {{0xffffff80} (aka -127):
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <limits.h> unsigned char max = CHAR_MAX + 1; for (char i = 0; i < max; ++i) { printf("i=0x%08x max=0x%08x\n", i, max); } |
Compliant Solution
There are several ways to rectify this example. One way is to treat both chars as unsigned, which prevents wraparound:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <limits.h>
unsigned char max = CHAR_MAX + 1;
for (unsigned char i = 0; i < max; ++i) {
printf("i=0x%08x max=0x%08x\n", i, max);
} |
Noncompliant Code Example
This noncompliant code example, adapted from the Cryptography Services blog, demonstrates how signed overflow can occur even when it seems that only unsigned types are in use:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned short x = 45000, y = 50000;
unsigned int z = x * y; |
On implementations where short is 16 bits wide and int is 32 bits wide, the program results in undefined behavior due to signed overflow. This is because the unsigned shorts become signed when they are automatically promoted to integer, and their mathematical product (2250000000) is greater than the largest signed 32-bit integer (231 - 1, which is 2147483647).
Compliant Solution
In this compliant solution, by manually casting one of the operands to unsigned int, the multiplication will be unsigned and so will not result in undefined behavior:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned short x = 45000, y = 50000;
unsigned int z = x * (unsigned int)y; |
Risk Assessment
Misunderstanding integer conversion rules can lead to errors, which in turn can lead to exploitable vulnerabilities. The major risks occur when narrowing the type (which requires a specific cast or assignment), converting from unsigned to signed, or converting from negative to unsigned.
Recommendation | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
INT02-C |
Medium | Probable |
No |
No |
P4 |
L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported | |||||||
| CodeSonar |
| ALLOC.SIZE.TRUNC LANG.CAST.COERCE LANG.CAST.VALUE MISC.MEM.SIZE.TRUNC | Truncation of Allocation Size Coercion Alters Value Cast Alters Value Truncation of Size | ||||||
| CC2.INT02 | Fully implemented | |||||||
| Helix QAC |
| C1250, C1251, C1252, C1253, C1256, C1257, C1260, C1263, C1266, C1274, C1290, C1291, C1292, C1293, C1294, C1295, C1296, C1297, C1298, C1299, C1800, C1802, C1803, C1804, C1810, C1811, C1812, C1813, C1820, C1821, C1822, C1823, C1824, C1830, C1831, C1832, C1833, C1834, C1840, C1841, C1842, C1843, C1844, C1850, C1851, C1852, C1853, C1854, C1860, C1861, C1862, C1863, C1864, C1880, C1881, C1882, C2100, C2101, C2102, C2103, C2104, C2105, C2106, C2107, C2109, C2110, C2111, C2112, C2113, C2114, C2115, C2116, C2117, C2118, C2119, C2120, C2122, C2124, C2130, C2132, C2134, C4401, C4402, C4403, C4404, C4405, C4410, C4412, C4413, C4414, C4415, C4420, C4421, C4422, C4423, C4424, C4425, C4430, C4431, C4432, C4434, C4435, C4436, C4437, C4440, C4441, C4442, C4443, C4445, C4446, C4447, C4460, C4461, C4463, C4464, C4470, C4471, C4480, C4481 | |||||||
| Klocwork |
| MISRA.CAST.INT MISRA.CAST.UNSIGNED_BITS MISRA.CONV.INT.SIGN MISRA.CVALUE.IMPL.CAST MISRA.UMINUS.UNSIGNED PRECISION.LOSS | |||||||
| LDRA tool suite |
| 52 S |
, 93 S |
, 96 S |
, 101 S, 107 S |
, 332 S |
, 334 S |
, 433 S |
, 434 S |
442 S
443 S
, 446 S |
, 452 S |
, 457 S |
, 458 |
491
S | Fully implemented |
0290
0291
3755
3756
3757
3758
3759
3760
3762
3763
3764
3765
| Parasoft C/C++test |
| CERT_C-INT02-a | Implicit conversions from wider to narrower integral type which may result in a loss of information shall not be used | ||||||
| PC-lint Plus |
| 501, 502, 569, 570, 573, | Partially supported | ||||||
| Polyspace Bug Finder |
| Checks for sign change integer conversion overflow (rec. fully supported) | |||||||
| PVS-Studio |
| V555, V605, V673, V5006 |
Related Vulnerabilities
This vulnerability in Adobe Flash arises because Flash passes a signed integer to calloc(). An attacker has control over this integer and can send negative numbers. Because calloc() takes size_t, which is unsigned, the negative number is converted to a very large number, which is generally too big to allocate, and as a result, calloc() returns NULL, causing the vulnerability to exist.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
ISO/IEC TR 24772 "FLC Numeric conversion errors"
MISRA Rules 10.1, 10.3, 10.5, and 12.9
MITRE CWE: CWE-192, "Integer coercion error"
...
| TR 24772:2013 | Numeric Conversion Errors [FLC] |
| MISRA C:2012 | Rule 10.1 (required) Rule 10.3 (required) Rule 10.4 (required) Rule 10.6 (required) Rule 10.7 (required) Rule 10.8 (required) |
| MITRE CWE | CWE-192, Integer coercion error CWE-197, Numeric truncation error |
...
Bibliography
| [Dowd 2006] | Chapter 6, "C Language Issues" ("Type |
...
| Conversions," pp. 223–270) |
| [Seacord |
...
| 2013] | Chapter 5, " |
...
Integer Security" |
...