...
Operator | Wrap |
| Operator | Wrap |
| Operator | Wrap |
| Operator | Wrap |
|---|---|---|---|---|---|---|---|---|---|---|
yesYes |
|
| Yes |
|
| yesYes |
|
| noNo | |
yesYes |
| yesYes |
|
| noNo |
|
| noNo | ||
yesYes |
|
| No |
|
| noNo |
|
| noNo | |
| noNo |
|
| noNo |
|
| noNo |
|
| noNo |
| noNo |
| yesYes |
|
| noNo |
|
| noNo | |
| yesYes |
|
| noNo |
|
| noNo |
|
| noNo |
| yesYes |
|
| noNo |
|
| noNo |
|
| noNo |
| noNo |
|
| noNo |
|
| noNo |
|
| noNo |
yesYes |
|
| noNo |
|
| yesYes |
|
| noNo |
Although unsigned left shift << can result in wrapping, modulo behavior is permitted by this standard because of common usage, because this behavior is usually expected by the programmer, and because the behavior is well-defined.
...
This compliant solution performs a precondition test of the operands of the addition to guarantee there is no possibility of unsigned wrap.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, usum;
/* Initialize ui1 and ui2 */
if (UINT_MAX - ui1 < ui2) {
/* handle error condition */
}
else {
usum = ui1 + ui2;
}
|
...
This compliant solution performs a postcondition test to ensure that the result of the unsigned addition operation usum is not less than the first operand.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, usum;
/* Initialize ui1 and ui2 */
usum = ui1 + ui2;
if (usum < ui1) {
/* handle error condition */
}
|
...
This compliant solution performs a precondition test of the unsigned operands of the subtraction operation to guarantee there is no possibility of unsigned wrap.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, udiff;
/* Initialize ui1 and ui2 */
if (ui1 < ui2){
/* handle error condition */
}
else {
udiff = ui1 - ui2;
}
|
...
This compliant solution performs a postcondition test that the result of the unsigned subtraction operation udiff is not greater than the minuend.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, udiff ;
/* Initialize ui1 and ui2 */
udiff = ui1 - ui2;
if (udiff > ui1) {
/* handle error condition */
}
|
...
This compliant solution tests the operands of the multiplication to guarantee that there is no unsigned integer wrap.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
pen->num_vertices = _cairo_pen_vertices_needed(
gstate->tolerance, radius, &gstate->ctm
);
if (pen->num_vertices > SIZE_MAX/sizeof(cairo_pen_vertex_t)) {
/* handle error condition */
}
pen->vertices = malloc(
pen->num_vertices * sizeof(cairo_pen_vertex_t)
);
|
...
This noncompliant code example using atomic integers can result in unsigned integer overflow wrapping.:
| Code Block |
|---|
atomic_int i; int ui1; /* Initialize i, ui1 */ atomic_fetch_add(&i, ui1); |
Compliant Solution
This compliant solution performs a postcondition test to ensure that the result of the unsigned addition operation to i is not less than the operand ui1.:
| Code Block |
|---|
atomic_int i;
int ui1;
/* Initialize ui1, i */
atomic_fetch_add(&i, ui1);
if (atomic_load(&i) < ui1) {
/* handle error condition */
} |
Exceptions
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
Compass/ROSE |
|
| Can detect violations of this rule by ensuring that operations are checked for overflow before being performed. Be mindful of exception INT30-EX2 because it excuses many operations from requiring validation, including all the operations that would validate a potentially dangerous operation. For instance, adding two | ||||||
| Coverity | 6.5 | INTEGER_OVERFLOW | Implemented | ||||||
Fortify SCA | 5.0 |
| Can detect violations of this rule with the CERT C Rule Pack. | ||||||
| PRQA QA-C |
| 2910 (C) | Partially implemented. |
Related Vulnerabilities
CVE-2009-1385 results from a violation of this rule. The value performs an unchecked subtraction on the length of a buffer and then adds that many bytes of data to another buffer [xorl 2009]. This can cause a buffer overflow, which allows an attacker to execute arbitrary code.
...