...
In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a bug (logic error). This A logic error is different from overflow, where in which there is simply a representational deficiency. (See INT32-C. Ensure that operations on signed integers do not result in overflow.)
...
The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with zeros. According to the C Standard, if E1 has an unsigned type, the value of the result is E1 * 2E2, reduced modulo one 1 more than the maximum value representable in the result type.
...
Making assumptions about whether a right shift is implemented as an arithmetic (signed) shift or a logical (unsigned) shift can also lead to vulnerabilities. See INT13-C. Use bitwise operators only on unsigned operands.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
| Can detect violations of this rule. Unsigned operands are detected when checking for INT13-C. Use bitwise operators only on unsigned operands | |||||||
| ECLAIR |
| CC2.INT34 | Partially implemented | ||||||
5.0 |
| Can detect violations of this rule with CERT C Rule Pack | |||||||
| 403 S | Partially implemented | |||||||
| PRQA QA-C |
| 0499 | Partially implemented |
...
| [Dowd 2006] | Chapter 6, "C Language Issues" |
| [ISO/IEC C99 Rationale 2003] | Section Subclause 6.5.7, "Bitwise Shift Operators" |
| [Seacord 2013] | Chapter 5, "Integer Security" |
| [Viega 2005] | Section 5.2.7, "Integer Overflow" |
...