...
The following sections examine specific operations that are susceptible to unsigned integer wrap. When operating on small integer types (smaller than int), integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Make sure you Programmers should understand integer conversion rules before trying to implement secure arithmetic operations. (See INT02-C. Understand integer conversion rules.)
...
The Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer overflow vulnerability resulting from an unsigned integer wrap during the multiplication of the signed int value pen->num_vertices and the size_t value sizeof(cairo_pen_vertex_t) [VU#551436]. The signed int operand is converted to size_t prior to the multiplication operation so that the multiplication takes place between two size_t integers, which are unsigned. (See INT02-C. Understand integer conversion rules.)
...
This compliant solution performs a postcondition test to ensure that the result of the unsigned addition operation to i is not less than the operand ui_a:
| Code Block | ||||
|---|---|---|---|---|
| ||||
atomic_int i;
int ui_a;
/* Initialize ui_a, i */
atomic_fetch_add(&i, ui_a);
if (atomic_load(&i) < ui_a) {
/* Handle error condition */
} |
Exceptions
...
- Operations on two compile-time constants
- Operations on a variable and 0 (except division by 0, of course)
- Subtracting any variable from its type's maximum. For ; for instance, any
unsigned intmay safely be subtracted fromUINT_MAX - Multiplying any variable by 1
- Division, as long as the divisor is nonzero
- Right-shifting any type maximum by any number smaller than the type size. For ; for instance,
UINT_MAX >> xis valid as long as 0 <= x < 32 (assuming that the size ofunsigned intis 32 bits) - Left-shifting 1 by any number smaller than the type size
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
| Can detect violations of this rule by ensuring that operations are checked for overflow before being performed. Be mindful of exception INT30-EX2 because it excuses many operations from requiring validation, including all the operations that would validate a potentially dangerous operation. For instance, adding two | |||||||
| Coverity | 6.5 | INTEGER_OVERFLOW | Implemented | ||||||
5.0 |
| Can detect violations of this rule with the CERT C Rule Pack | |||||||
| PRQA QA-C |
| 2910 (C) | Partially implemented |
...
CVE-2009-1385 results from a violation of this rule. The value performs an unchecked subtraction on the length of a buffer and then adds that many bytes of data to another buffer [xorl 2009]. This can cause a buffer overflow, which allows an attacker to execute arbitrary code.
A Linux kernel vmsplice exploit, described by Rafal Wojtczuk [Wojtczuk 2008], documents a vulnerability and exploit arising from a buffer overflow (caused by unsigned integer wrapping).
...
| [Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223) |
| [ISO/IEC 9899:2011] | Section Subclause 6.2.5, "Types" |
| [Seacord 2013] | Chapter 5, "Integer Security" |
| [Viega 2005] | Section 5.2.7, "Integer Overflow" |
| [VU#551436] | |
| [Warren 2002] | Chapter 2, "Basics" |
| [Wojtczuk 2008] | |
| [xorl 2009] | "CVE-2009-1385: Linux Kernel E1000 Integer Underflow" |
...