...
Operator | Wrap | Operator | Wrap | Operator | Wrap | Operator | Wrap |
|---|---|---|---|---|---|---|---|
Yes | Yes | Yes |
| No | |||
Yes | Yes |
| No |
| No | ||
Yes |
| No |
| No |
| No | |
| No |
| No |
| No |
| No |
| No | Yes |
| No |
| No | |
| Yes |
| No |
| No |
| No |
| Yes |
| No |
| No |
| No |
| No |
| No |
| No |
| No |
Yes |
| No |
| Yes |
| No |
Although unsigned left shift << can result in wrapping, modulo behavior is permitted by this standard because of common usage, because this behavior is usually expected by the programmer and because the behavior is well defined.
The following sections examine specific operations that are susceptible to unsigned integer wrap. When operating on small integer types (smaller than int), integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Programmers should understand integer conversion rules before trying to implement secure arithmetic operations. (See INT02-C. Understand integer conversion rules.)
...
- Operations on two compile-time constants
- Operations on a variable and 0 (except division by 0, of course)
- Subtracting any variable from its type's maximum; for instance, any
unsigned intmay safely be subtracted fromUINT_MAX - Multiplying any variable by 1
- Division, as long as the divisor is nonzero
- Right-shifting any type maximum by any number smaller than the type size; for instance,
UINT_MAX >> xis valid as long as0 <= x < 32(assuming that the size ofunsigned intis 32 bits) - Left-shifting 1 by any number smaller than the type size
INT30-EX3. Unsigned left shift << can exhibit modulo behavior (wrapping). This exception is provided because of common usage, because this behavior is usually expected by the programmer, and because the behavior is well defined.
Risk Assessment
Integer wrap can lead to buffer overflows and the execution of arbitrary code by an attacker.
...