Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Section 6.2.5, para. 9, and the C standard [ISO/IEC 9899:2011], states:

A computation involving unsigned operands can never overflow, because a result that cannot be represented by the resulting unsigned integer type is reduced modulo the number that is one greater than the largest value that can be represented by the resulting type.


Code Block
pen->num_vertices = _cairo_pen_vertices_needed(
  gstate->tolerance, radius, &gstate->ctm

if (pen->num_vertices > SIZE_MAX/sizeof(cairo_pen_vertex_t)) {
  /* handle error condition */
pen->vertices = malloc(
  pen->num_vertices * sizeof(cairo_pen_vertex_t)

Atomic Integers

The C Standard standard [ISO/IEC 9899:2011] defines arithmetic on atomic integer types as read-modify-write operations with the same representation as nonatomic integer types. As a result, wrapping of atomic unsigned integers is identical to nonatomic unsigned integers and should also be prevented or detected.


CERT C++ Secure Coding Standard: INT30-CPP. Ensure that unsigned integer operations do not wrap

ISO/IEC 9899:2011 Section  Section 6.2.5, "Types," Section 6.5, "Expressions," and Section 7.10, "Sizes of integer types <limits.h>"


[Dowd 2006] Chapter 6, "C Language Issues" ("Arithmetic boundary conditions," pp. 211–223)
[Seacord 2005] Chapter 5, "Integers"
[Viega 2005] Section 5.2.7, "Integer overflow"
[Warren 2002] Chapter 2, "Basics"
[Wojtczuk 2008]
[xorl 2009] "CVE-2009-1385: Linux kernel E1000 integer underflow"