...
Include Page |
---|
| c:INT32-C-c. Ensure that integer multiplication operations do not result in an overflow |
---|
| c:INT32-C-c. Ensure that integer multiplication operations do not result in an overflow |
---|
|
...
Division
Division is between two operands of arithmetic type. Overflow can occur during twos-complement signed integer division when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to -1. Both signed and unsigned division operations are also susceptible to divide-by-zero errors.
Non-Compliant Code Example
This code can result in a signed integer overflow during the division of the signed operands sl1
and sl2
or in a divide-by-zero error. If this behavior is unanticipated, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that could lead to an exploitable vulnerability.
Code Block |
---|
signed long sl1, sl2, result;
result = sl1 / sl2;
|
Compliant Solution
This compliant solution tests the suspect division operation to guarantee there is no possibility of signed overflow or divide-by-zero errors.
Code Block |
---|
signed long sl1, sl2, result;
if ( (sl2 == 0) || ( (sl1 == LONG_MIN) && (sl2 == -1) ) ) {
/* handle error condition */
}
result = sl1 / sl2;
|
Include Page |
---|
| c:INT32-C-d. Ensure that integer division operations do not result in an overflow |
---|
| c:INT32-C-d. Ensure that integer division operations do not result in an overflow |
---|
|
...
----
Anchor |
---|
| Unary Negation |
---|
| Unary Negation |
---|
|
Unary Negation
The unary negation operator takes an operand of arithmetic type. Overflow can occur during twos-complement unary negation when the operand is equal to the minimum (negative) value for the signed integer type.
Non-Compliant Code Example
This code can result in a signed integer overflow during the unary negation of the signed operand si1. If this behavior is unanticipated, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that could lead to an exploitable vulnerability.
Code Block |
---|
signed int si1, result;
result = -si1;
|
Compliant Solution
This compliant solution tests the suspect negation operation to guarantee there is no possibility of signed overflow.
Code Block |
---|
signed int si1, result;
if (si1 == INT_MIN) {
/* handle error condition */
}
result = -si1;
|
Include Page |
---|
| c:INT32-C-e. Ensure that integer unary negation operations do not result in an overflow |
---|
| c:INT32-C-e. Ensure that integer unary negation operations do not result in an overflow |
---|
|
...
----
Anchor |
---|
| Left Shift Operator |
---|
| Left Shift Operator |
---|
|
Left Shift Operator
The left shift operator is between two operands of integer type.
Non-Compliant Code Example
This code can result in an unsigned overflow during the shift operation of the unsigned operands ui1
and ui2
. If this behavior is unanticipated, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that could lead to an exploitable vulnerability.
Code Block |
---|
unsigned int ui1, ui2, result;
result = ui1 << ui2;
|
Compliant Solution
This compliant solution tests the suspect shift operation to guarantee there is no possibility of unsigned overflow.
Code Block |
---|
unsigned int ui1, ui2, result;
if ( (ui2 < 0) || (ui2 >= sizeof(int)*8) ) {
/* handle error condition */
}
result = ui1 << ui2;
|
Include Page |
---|
| c:INT32-C-f. Ensure that integer left shift operations do not result in an overflow |
---|
| c:INT32-C-f. Ensure that integer left shift operations do not result in an overflow |
---|
|
...
----
Anchor |
---|
| Right Shift Operator |
---|
| Right Shift Operator |
---|
|
Right Shift Operator
The shift operator is between two operands of integer type.
Non-Compliant Code Example
This code can result in an unsigned overflow during the shift operation of the unsigned operands ui1
and ui2
. If this behavior is unanticipated, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that could lead to an exploitable vulnerability.
Code Block |
---|
unsigned int ui1, ui2, result;
result = ui1 >> ui2;
|
Compliant Solution
This compliant solution tests the suspect shift operation to guarantee there is no possibility of unsigned overflow.
...
Include Page |
---|
| c:INT32-C-g. Ensure that integer right shift operations do not result in an overflow |
---|
| c:INT32-C-g. Ensure that integer right shift operations do not result in an overflow |
---|
|
Exceptions
Unsigned integers can be allowed to exhibit modulo behavior if and only if
...