...
For these reasons, it is important to ensure that operations on signed integers do no result in overflow. (See MSC15-C. Do not depend on undefined behavior.) Of particular importance are operations on signed integer values that originate from untrusted sources from tainted source and are used as:
- integer operands of any pointer arithmetic, including array indexing;
- the assignment expression for the declaration of a variable length array;
- the postfix expression preceding square brackets
[]or the expression in square brackets[]of a subscripted designation of an element of an array object; and - function arguments of type
size_torrsize_t(for example, an argument to a memory allocation function).
...
The C Standard, 6.5.7 paragraph 4 [ISO/IEC 9899:2011], states
...
In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a bug (logic error). These issues are covered by INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.
Noncompliant Code Example
This noncompliant code example can result in an unrepresentable value.
...
Compliant Solution
This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:
...