Page History

...

For example, given an implementation that supports 128-bit unsigned integers and provides a uint_fast128_t type, a programmer may define the following type:

typedef uint_fast128_t mytypedef_t;

Furthermore, the definition of programmer-defined types may change. This creates , which creates a problem using when these types are used with formatted output functions, such as printf(), and formatted input functions, such as scanf(). (See recommendation FIO00-C. Take care when creating format strings.)

The C99 C intmax_t and uintmax_t types are capable of representing any types can represent any value representable by any other integer types of the same signedness. (See recommendation INT00-C. Understand the data model used by your implementation(s).) This allows capability allows conversion between programmer-defined integer types (of the same signedness) and intmax_t and uintmax_t:

mytypedef_t x;
uintmax_t temp;
/* ... */
temp = x; /* always secure*/

/* ... change the value of temp ... */

if (temp <= MYTYPEDEF_MAX) {
  x = temp;
}

Formatted I/O functions can be used to input and output greatest-width integer typed values. The j length modifier in a format string indicates that the following d, i, o, u, x, X, or n conversion specifier will apply to an argument with type intmax_t or uintmax_t. C99 C also specifies the z length modifier for use with arguments of type size_t and the t length modifier for arguments of type ptrdiff_t.

In addition to programmer-defined types, there is no requirement that an implementation provides provide format length modifiers for implementation-defined integer types. For example, a machine with an implementation-defined 48-bit integer type may not provide format length modifiers for the type. Such a machine would still have to have machine still must have a 64-bit long long, with intmax_t being at least that large.

...

This noncompliant code example prints the value of x as an unsigned long long value , even though the value is of a programmer-defined integer type.

#include <stdio.h>

mytypedef_t x;

/* ... */

printf("%llu", (unsigned long long) x); 

...

Compliant Solution (printf())

The C99 C intmax_t and uintmax_t can be safely used to perform formatted I/O with programmer-defined integer types . This is accomplished by converting signed programmer-defined integer types to intmax_t and unsigned programmer-defined integer types to uintmax_t, then outputting these values using the j length modifier. Similarly, programmer-defined integer types can be input to variables of intmax_t or uintmax_t (whichever matches the signedness of the programmer-defined integer type) and then converted to programmer-defined integer types using appropriate range checks.

...

#include <stdio.h>
#include <inttypes.h>

mytypedef_t x;

/* ... */

printf("%ju", (uintmax_t) x);

...

#include <stdio.h>

mytypedef_t x;
/* ... */
if (scanf("%llu", &x) != 1) {
  /* handle error */
}

This noncompliant code example can result in a buffer overflow , if the size of mytypedef_t is smaller than unsigned long long, or it might result in an incorrect value if the size of mytypedef_t is larger than unsigned long long.

...

#include <stdio.h>
#include <inttypes.h>

mytypedef_t x;
uintmax_t temp;

/* ... */

if (scanf("%ju", &temp) != 1) {
  /* handle error */
}
if (temp > MYTYPEDEF_MAX) {
  /* handle error */
}
else {
  x = temp;

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C++ Secure Coding Standard: INT15-CPP. Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types

ISO/IEC 9899-1999:2011 Section 7.1820.1.5, "Greatest-width integer types," and Section 7.1921.6, "Formatted input/output functions"

MITRE CWE: CWE-681, "Incorrect Conversion conversion between Numeric Typesnumeric types"

Bibliography

...