Conversions can occur explicitly as the result of a cast or implicitly as required by an operation. While conversions are generally required for the correct execution of a program, they can also lead to lost or misinterpreted data. Conversion of an operand value to a compatible type causes no change to the value or the representation [[ISO/IEC 9899-1999]].
The C99 standard rules define how C compilers handle conversions. These rules include integer promotions, integer conversion rank, and the usual arithmetic conversions.
Integer Promotions
Integer types smaller than int are promoted when an operation is performed on them. If all values of the original type can be represented as an int, the value of the smaller type is converted to an int; otherwise, it is converted to an unsigned int. Integer promotions are applied as part of the usual arithmetic conversions to certain argument expressions, operands of the unary +, -, and ~ operators, and operands of the shift operators. The following code fragment illustrates the application of integer promotions:
char c1, c2; c1 = c1 + c2;
Integer promotions require the promotion of each variable (c1 and c2) to int size. The two int values are added and the sum truncated to fit into the char type. Integer promotions are performed to avoid arithmetic errors resulting from the overflow of intermediate
values. For example:
signed char cresult, c1, c2, c3; c1 = 100; c2 = 3; c3 = 4; cresult = c1 * c2 / c3;
In this example, the value of c1 is multiplied by c2. The product of these values is then divided by the value of c3 (according to operator precedence rules). Assuming that signed char is represented as an eight bit two's complement value, the product of c1 and c2 (300) cannot be represented as an eight bit two's complement value. Because of integer promotions, however, c1, c2, and c3 are each converted to int, and the overall expression is successfully evaluated. The resulting value is truncated and stored in cresult. Because the final result (75) is in the range of the signed char type, the truncation does not result in lost data.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Non-Compliant Code Example (Comparison)
Here is an example that illustrates the idiosyncracies of integer promotion.
int x = -1;
unsigned y = 1;
printf("%d\n", x < y);
In this example, the comparison operator operates on a{{signed int}} and an unsigned int. By the conversion rules, x is converted to an unsigned int. Since -1 can't be represented as an unsigned int value, and overflows are treated modularly on unsigned int}}s, the {{-1 is converted to UINT_MAX. The upshot is that the program prints 0, because UINT_MAX is not less than 1.
Compliant Solution
The previous example can be modified to produce the intuitive result by forcing the comparison to be done with {{signed int}}s.
int x = -1;
unsigned y = 1;
printf("%d\n", x < (int) y);
This program prints 1 as expected.
Risk Assessment
Misunderstanding integer conversion rules can lead to errors, which in turn can lead to exploitable vulnerabilities.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
INT02-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Dowd 06]] Chapter 6, "C Language Issues" (Type Conversions 223-270)
[[ISO/IEC 9899-1999]] Section 6.3, "Conversions"
[[ISO/IEC DTR 24772-2007]] Language Vulnerability "XYE Numeric Conversion Errors"
[[MISRA 04]] Rules 10.1, 10.3, 10.5, and 12.9
[[MITRE 07]] CWE ID 192
, "Integer Coercion Error"; CWE ID 197, "Numeric Truncation Error"
[[Seacord 05]] Chapter 5, "Integers"
INT01-A. Use rsize_t or size_t for all integer values representing the size of an object 04. Integers (INT) INT03-A. Use a secure integer library