Signed integer overflow is undefined behavior (see undefined behavior 36 in Annex J of C11 [ISO/IEC 9899:2011]the C Standard). This means that implementations have a great deal of latitude in how they deal with signed integer overflow.
An implementation may define the same modulo arithmetic for both unsigned as well as signed integers. On such an implementation, signed integers overflow by wrapping around to zero. An example of such an implementation is GNU GCC invoked with the -fwrapv command-line option.
Other implementations may cause a hardware trap (also called an exceptional condition) to be generated when a signed integer overflows. On such implementations, a program that causes a signed integer to overflow will most likely abnormally exit. On a UNIX system, the result of such an event may be a signal sent to the process. An example of such an implementation is GNU GCC invoked with the -ftrapv command-line option.
...
Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type for rules about adding a pointer to an integer. (See ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element.) Incrementing is equivalent to adding one1.
Noncompliant Code Example
...
This compliant solution is based on the fact that both the division and modulo operators truncate toward zero, as specified in Section 6.5.5, footnote 105, of the C standard Standard [ISO/IEC 9899:2011]. This guarantees that
...
Furthermore, it guarantees that the minumum minimum signed value modulo −1 yields 0.
...
This solution is also compliant with INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.
Atomic Integers
The C standard [ISO/IEC 9899:2011] Standard defines the behavior of arithmetic on atomic signed integer types to use two's complement representation with silent wraparound on overflow; there are no undefined results. However, although defined, these results may be unexpected and therefore carry similar risks to unsigned integer wrapping (see INT30-C. Ensure that unsigned integer operations do not wrap). Consequently, signed integer overflow of atomic integer types should also be prevented or detected.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 43 D | Partially implemented. | |||||||
Fortify SCA | V. 5.0 | Can detect violations of this rule with CERT C Rule Pack. Specifically, it checks to ensure that the operand of a unary negation | |||||||
| PRQA QA-C |
| 0278 | Fully implemented. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
...
...
| TS 17961 | (Draft) Overflowing signed integers [intoflow] |
ISO/IEC TR 24772 "XYY Wrap-around error"
...
...
| Unchecked array indexing |
...
...
...
| -190, |
...
| Integer overflow (wrap or wraparound) |
...
Bibliography
| [Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic |
|---|
...
| Boundary Conditions," pp. 211–223) | |
|---|---|
| [Seacord 2005] | Chapter 5, "Integers" |
| [Viega 2005] | Section 5.2.7, "Integer |
...
| Overflow" | |
| [VU#551436] | |
| [Warren 2002] | Chapter 2, "Basics" |