Page History

...

For these reasons, it is important to ensure that operations on signed integers do not result in overflow. Of particular importance are operations on signed integer values that originate from a tainted source and are used as:

• Integer operands of any pointer arithmetic, including array indexing;
• The assignment expression for the declaration of a variable length array;
• The postfix expression preceding square brackets [] or the expression in square brackets [] of a subscripted designation of an element of an array object; and
• Function arguments of type size_t or rsize_t (for example, an argument to a memory allocation function).

...

The remainder operator provides the remainder when two operands of integer type are divided. Because many platforms implement remainder and division in the same instruction, the remainder operator is also susceptible to arithmetic overflow and division by 0 zero (see INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors).

...

Many hardware architectures implement remainder as part of the division operator, which can overflow. Overflow can occur during a remainder operation when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1. This It occurs even though the result of such a remainder operation is mathematically 0. This noncompliant code example prevents divide-by-zero errors in compliance with INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors but does not prevent integer overflow:

...

On x86-32 platforms, the remainder operator for signed integers is implemented by the idiv instruction code, along with the divide operator. Because LONGBecause LONG_MIN / -1 overflows−1 overflows, this code will throw a floating-point exception on LONGon LONG_MIN % -1−1.

Compliant Solution

This compliant solution also tests the remainder operands to guarantee there is no possibility of an overflow:

...

The C Standard, 6.5.7, paragraph 4 [ISO/IEC 9899:2011], states:

If E1 has a signed type and nonnegative value, and E1 × 2E2 is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined.

In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a logic error. These issues are covered by INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.

Noncompliant Code Example

This noncompliant code example performs a left shift, after verifying that the number being shifted is not negative, and the number of bits to shift is valid.  The PRECISION() macro and popcount() function provide the correct precision for any integer type (see INT35-C. Use correct integer precisions). However, because this code does no overflow check, it can result in an unrepresentable value. 

...

Compliant Solution

This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:

...

...

...