...
The following sections examine specific operations that are susceptible to unsigned integer wrap. When operating on small integer types (smaller than int
), integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Make sure you understand integer conversion rules before trying to implement secure arithmetic operations. (See guideline recommendation INT02C. Understand integer conversion rules.)
...
Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type. (See guidelines rules ARR37C. Do not add or subtract an integer to a pointer to a nonarray object and ARR38C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules information about adding a pointer to an integer.) Incrementing is equivalent to adding one.
...
Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or between a pointer to an object type and an integer type. See guidelines rules ARR36C. Do not subtract or compare two pointers that do not refer to the same array, ARR37C. Do not add or subtract an integer to a pointer to a nonarray object, and ARR38C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules information about pointer subtraction. Decrementing is equivalent to subtracting one.
...
Wiki Markup 

The Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer overflow vulnerability resulting from an unsigned integer wrap during the multiplication of the {{signed int}} value {{pen>num_vertices}} and the {{size_t}} value {{sizeof(cairo_pen_vertex_t)}} \[[VU#551436AA. Bibliography#VU551436]\]. The {{signed int}} operand is converted to {{size_t}} prior to the multiplication operation so that the multiplication takes place between two {{size_t}} integers, which are unsigned. (See guidelinerecommendation [INT02C. Understand integer conversion rules].) 
...
Tool  Version  Checker  Description  




 




...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: INT30CPP. Ensure that unsigned integer operations do not wrap
Bibliography
Wiki Markup\[[Dowd 2006AA. Bibliography#Dowd 06]\] Chapter 6, "C Language Issues" (Arithmetic Boundary Conditions, pp. 211223)
\[[ISO/IEC 9899:1999AA. Bibliography#ISO/IEC 98991999]\] Section 6.2.5, "Types," Section 6.5, "Expressions," and Section 7.10, "Sizes of integer types {{<limits.h>
}}"
\[["
ISO/IEC PDTR 24772AA. Bibliography#ISO/IEC PDTR 24772]\] TR 24772 "XYY Wraparound Error"
MITRE CWE: CWE190, "Integer Overflow (Wrap or Wraparound)"
Bibliography
Wiki Markup 

\[[MITREDowd 20072006AA. Bibliography#MITREBibliography#Dowd 0706]\] [CWE ID 190http://cwe.mitre.org/data/definitions/190.html]Chapter 6, "IntegerC OverflowLanguage Issues" (WrapArithmetic or Wraparound)"Boundary Conditions, pp. 211223) \[[Seacord 2005AA. Bibliography#Seacord 05]\] Chapter 5, "Integers" \[[Viega 2005AA. Bibliography#Viega 05]\] Section 5.2.7, "Integer overflow" \[[VU#551436AA. Bibliography#VU551436]\] \[[Warren 2002AA. Bibliography#Warren 02]\] Chapter 2, "Basics" \[[Wojtczuk 2008AA. Bibliography#Wojtczuk 08]\] \[[xorl 2009AA. Bibliography#xorl 2009]\] ["CVE20091385: Linux kernel E1000 Integer Underflow"http://xorl.wordpress.com/2009/06/10/cve20091385linuxkernele1000integerunderflow/] 
...