Integer values that originate from untrusted sources must be guaranteed correct if they are used in any of the following ways:
- as an array index
- in any pointer arithmetic
- as a length or size of an object
- as the bound of an array (for example, a loop counter)
- as an argument to a memory allocation function
- in security critical code
Integer values can be invalidated due to excpetional conditions such as overflow, truncation, or sign error leading to exploitable vulnerabilities. Failure to provide proper range checking can also lead to exploitable vulnerabilities.
Recommendations
INT00-A. Do not make assumptions about the type of a bit-field when used in an expression
INT01-A. Use size_t for all integer values representing the size of an object
INT02-A. Understand integer conversion rules
INT03-A. Use a secure integer library
INT04-A. Enforce limits on integer values originating from untrusted sources
INT05-A. Do not input integer values using scanf() or other formatted input functions
INT06-A. Use strtol() to convert a string token to an integer
INT07-A. Explicitly specify signed or unsigned for character types
INT08-A. Verify that all integer values are in range
Rules
INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
INT32-C. Ensure that integer operations do not result in an overflow
INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors
INT34-C. Ensure integer values are within valid ranges
INT37-C. Arguments to character handling functions must be representable as an unsigned char