...
Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type. This rule only applies to addition between two operands of arithmetic type. See ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR30-C. Do not form or use out-of-bounds pointers or array subscripts.
Incrementing is equivalent to adding 1.
...
Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or a pointer to an object type and an integer type. This rule only applies to subtraction between two operands of arithmetic type. See ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR30-C. Do not form or use out-of-bounds pointers or array subscripts for information about pointer subtraction.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
pen->num_vertices = _cairo_pen_vertices_needed(
gstate->tolerance, radius, &gstate->ctm
);
if (pen->num_vertices > SIZE_MAX / sizeof(cairo_pen_vertex_t)) {
/* Handle error condition */
}
pen->vertices = malloc(
pen->num_vertices * sizeof(cairo_pen_vertex_t)
);
|
...
Left-Shift Operator
...
Exceptions
INT30-EX1. Unsigned integers can exhibit modulo behavior (wrapping) when necessary for the proper execution of the program. It is recommended that the variable declaration be clearly commented as supporting modulo behavior and that each operation on that integer also be clearly commented as supporting modulo behavior.
...
- Operations on two compile-time constants
- Operations on a variable and 0 (except division by 0, of course)
- Subtracting any variable from its type's maximum; for example, any
unsigned intmay safely be subtracted fromUINT_MAX - Multiplying any variable by 1
- Division, as long as the divisor is nonzero
- Right-shifting any type maximum by any number smaller than the type size; for instance,
UINT_MAX >> xis valid as long as0 <= x < 32(assuming that the size ofunsigned intis 32 bits)Left-shifting 1 by any number smaller than the type size
| Anchor | ||||
|---|---|---|---|---|
|
INT30-EX3. The left-shift operator takes two operands of integer type. Unsigned left shift << can exhibit modulo behavior (wrapping). This exception is provided because of common usage, because this behavior is usually expected by the programmer, and because the behavior is well defined. For examples of usage of the left-shift operator, see INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.
Risk Assessment
Integer wrap can lead to buffer overflows and the execution of arbitrary code by an attacker.
...
...