...
This is a subtle error that results in a disturbingly broad range of potentially severe vulnerabilities. At the very least, this error can lead to unexpected numerical results on different platforms. Unexpected arithmetic values when applied to arrays or pointers can yield buffer overflows or other invalid memory access.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT07-C | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||
|---|---|---|---|---|---|---|---|
| Astrée |
|
| Supported, but no explicit checker | |||||||||
| CodeSonar |
| LANG.TYPE.IOT | Inappropriate operand type | ||||||
| Compass/ROSE |
Can detect violations of this recommendation. In particular, it flags any instance of a variable of type | |||||||||
| CC2.INT07 | Fully implemented | |||||||
| Klocwork |
| PORTING.SIGNED.CHAR |
| LDRA tool suite |
| 93 S, 96 S, 101 S, 329 S, 432 S, 458 S | Fully implemented | ||||||
| Parasoft C/C++test |
|
|
| MISRA2004-6_{1,2} | Fully implemented | |||||
| R2016b | Use of plain char type for numerical value | Plain char variable in arithmetic operation without explicit signedness | |||||
| Splint |
|
| PRQA QA-C |
| 1292, 1293, 4401, 4421, 4431, 4441, 4451 |
| Partially implemented | ||||||||
| SonarQube C/C++ Plugin |
| S820 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID INT07-CPP. Use only explicitly signed or unsigned char type for numeric values |
| ISO/IEC TR 24772:2013 | Bit Representations [STR] |
| MISRA C:2012 | Rule 10.1 (required) Rule 10.3 (required) Rule 10.4 (required) |
| MITRE CWE | CWE-682, Incorrect calculation |
...
...