Page History

...

Code Block

bgColor	#ccccff
lang	c

int rc = 0;
unsigned int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24);
if (rc == -1 || rc >= sizeof(buf)) {
  /* Handle error */
}

Also, consider using the sprintf_s() function, defined in ISO/IEC TR 24731-1, instead of snprintf() to provide some additional checks. (See STR07-C. Use the bounds-checking interfaces for string manipulation.)

Exceptions

INT13-C-EX1: When used as bit flags, it is acceptable to use preprocessor macros or enumeration constants as arguments to the & and | operators even if the value is not explicitly declared as unsigned.

...

Performing bitwise operations on signed numbers can lead to buffer overflows and the execution of arbitrary code by an attacker in some cases, unexpected or implementation-defined behavior in others.

Recommendation	Severity	Likelihood

Remediation Cost

Detectable	Repairable	Priority	Level
INT13-C	High	Unlikely	Yes

Medium

No

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

bitop-type

Fully checked

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-INT13

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

LANG.TYPE.IOT

Inappropriate operand type

Compass/ROSE

Can detect violations of this rule. In particular, it flags bitwise operations that involved variables not declared with unsigned type

ECLAIR

Include Page

	ECLAIR_V
	ECLAIR_V

CC2.INT13

Fully implemented

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C4532, C4533, C4534, C4543, C4544

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

MISRA.BITS.NOT_UNSIGNED
MISRA.BITS.NOT_UNSIGNED.PREP

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

50 S
120 S
331 S

Fully implemented

Parasoft C/C++test

9.5MISRA2008-5_0_21Fully implementedPRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v4532, 4533, 4534, 4543, 4544

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-INT13-a
CERT_C-INT13-b

Operands of bitwise and complement operators shall have an unsigned type
Operands of shift operators shall have an unsigned type

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

9233

Partially supported: reports use of a bitwise operator on an expression with a signed MISRA C 2004 underlying type

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. INT13-C

Checks for bitwise operation on negative value (rec. fully covered)

RuleChecker

Include Page

	RuleChecker_V
	RuleChecker_V

bitop-type

Fully checked

SonarQube C/C++ Plugin

Include Page

	SonarQube C/C++ Plugin_V
	SonarQube C/C++ Plugin_V

S874

Fully implemented

Splint

Include Page

	Splint_V
	Splint_V

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding Standard	VOID INT13-CPP. Use bitwise operators only on unsigned operands
ISO/IEC TR 24772:2013	Bit Representations [STR] Arithmetic Wrap-around Error [FIF] Sign Extension Error [XZI]
MITRE CWE	CWE-682, Incorrect calculation

Bibliography

[Dowd 2006]	Chapter 6, "C Language Issues"
[C99 Rationale 2003]	Subclause 6.5.7, "Bitwise Shift Operators"

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 98

New Version Current

Key

Exceptions

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography