...
In addition to programmer-defined types, there is no requirement that an implementation provides format length modifiers for implementation-defined integer types. For example, a machine with an implementation-defined 48-bit integer type may not provide format length modifiers for the type. Such a machine would still have to have a 64-bit long long, with intmax_t being at least that large.
Non-Compliant Code Example (printf())
This non-compliant code example prints the value of x as an unsigned long long value, even though the value is of a programmer-defined integer type.
...
Consequently, there is no guarantee that this code prints the correct value of x, as x is not necessarily an unsigned long long value and may be too large to represent as an unsigned long long.
Compliant Solution (printf())
The C99 intmax_t and uintmax_t can be safely used to perform formatted I/O with programmer-defined integer types. This is accomplished by converting signed programmer-defined integer types to intmax_t and unsigned programmer-defined integer types to uintmax_t, then outputting these values using the j length modifier. Similarly, programmer-defined integer types can be input to variables of intmax_t or uintmax_t (whichever matches the signedness of the programmer-defined integer type) and then converted to programmer-defined integer types using appropriate range checks.
...
| Code Block | ||
|---|---|---|
| ||
#include <stdio.h>
#include <inttypes.h>
/* ... */
mytypedef_t x;
/* ... */
printf("%ju", (uintmax_t) x);
|
Non-Compliant Code Example (scanf())
The following non-compliant code example reads an unsigned long long value from standard input and stores the result in x, which is of a programmer-defined integer type.
...
This code could result in a buffer overflow, if the size of mytypedef_t is smaller than unsigned long long, or it might result in an incorrect value if the size of mytypedef_t is larger than unsigned long long.
Compliant Solution (scanf())
This compliant solution guarantees that a correct value in the range of mytypedef_t is read, or an error condition is detected, assuming the value of MYTYPEDEF_MAX is correct as the largest value representable by mytypedef_t.
| Code Block | ||
|---|---|---|
| ||
#include <stdio.h>
#include <inttypes.h>
/* ... */
mytypedef_t x;
uintmax_t temp;
/* ... */
if(scanf("%ju", &temp) != 1) {
/* handle error */
}
if (temp > MYTYPEDEF_MAX) {
/* handle error */
}
x = temp;
|
Risk Assessment
Failure to use an appropriate conversion specifier when inputting or outputting programmer-defined integer types can result in buffer overflow and lost or misinterpreted data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT15-A | high | probable | medium | P12 | L1 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]] Section 7.18.1.5, "Greatest-width integer types," and Section 7.19.6, "Formatted input/output functions" |
...