...
INT32-EX1. Unsigned integers can exhibit modulo behavior (wrapping) only when this behavior is necessary for the proper execution of the program. It is recommended that the variable declaration be clearly commented as supporting modulo behavior and that each operation on that integer also be clearly commented as supporting modulo behavior.
INT32-EX2. Checks for wraparound can be omitted when it can be determined at compile-time that wraparound will not occur. As such, the following operations on unsigned integers require no validation:
- Operations on two compile-time constants
- Operations on a variable and 0 (except divison by 0, of course)
- Subtracting any variable from its type's maximum. For instance, any
unsigned intmay safely be subtracted fromINT_MAX. - Multiplying any variable by 0 or 1
- Division, as long as the divisor is nonzero.
- Left-shifting 0 by any number.
- Right-shifting any type maximum by any number smaller than the type size. For instance,
INT_MAX >> xis valid as long asx < sizeof( int).
Risk Assessment
Integer wrap can lead to buffer overflows and the execution of arbitrary code by an attacker.
...