...
The C Standard, 6.5.7, paragraph 4 [ISO/IEC 9899:2011], states:
...
In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a logic error. These issues are covered by INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.
Noncompliant Code Example
This noncompliant code example performs a left shift, after verifying that the number being shifted is not negative, and the number of bits to shift is valid. The PRECISION() macro and popcount() function provide the correct precision for any integer type (see INT35-C. Use correct integer precisions). However, because this code does no overflow check, it can result in an unrepresentable value.
...
Compliant Solution
This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| ALLOC.SIZE.ADDOFLOW | Addition overflow of allocation size | ||||||
| Coverity | 6.5 | TAINTED_STATIC | Fully Implementedimplemented | ||||||
5.0 | Can detect violations of this rule with CERT C Rule Pack. Specifically, it checks to ensure that the operand of a unary negation is compared to the type's minimum value immediately before the operation | ||||||||
| 493 S, 494 S | Partially implemented | |||||||
| PRQA QA-C |
| 2800, 2801, 2802, 2803 | Fully implemented |
...
| [Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223) |
| [ISO/IEC 9899:2011] | Subclause 6.5.5, "Multiplicative Operators" |
| [Seacord 2013b] | Chapter 5, "Integer Security" |
| [Viega 2005] | Section 5.2.7, "Integer Overflow" |
| [Warren 2002] | Chapter 2, "Basics" |
...