SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 45

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 46

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added post condition tests for addition and subtraction

...

Code Block
bgColor#FFcccc
unsigned int ui1, ui2, usum;

/* Initialize ui1 and ui2 */

usum = ui1 + ui2;

Compliant Solution (Pre-condition Test)

This compliant solution performs a pre-condition test of the operands of the addition to guarantee there is no possibility of unsigned wrap.

Code Block
bgColor#ccccff
unsigned int ui1, ui2, usum;

/* Initialize ui1 and ui2 */

if (UINT_MAX - ui1 < ui2) {
  /* handle error condition */
}
else {
  usum = ui1 + ui2;
}

Compliant Solution (Post-condition Test)

This compliant solution performs a post-condition test to ensure that the result of the unsigned addition operation usum is not less than either of the operands.

...

Code Block
bgColor#FFcccc
unsigned int ui1, ui2, udiff;

/* Initialize ui1 and ui2 */

udiff = ui1 - ui2;

Compliant Solution (Pre-condition Test)

This compliant solution tests performs a pre-condition test of the unsigned operands of the subtraction operation to guarantee there is no possibility of unsigned wrap.

Code Block
bgColor#ccccff
unsigned int ui1, ui2, udiff;

/* Initialize ui1 and ui2 */

if (ui1 < ui2){
   /* handle error condition */
}
else {
  udiff = ui1 - ui2;
}

Compliant Solution (Post-condition Test)

This compliant solution tests the unsigned operands performs a post-condition test that the result of the unsigned subtraction to guarantee there is no possibility of unsigned wrapoperation udiff is not greater than either of the operands.

Code Block
bgColor#ccccff
unsigned int ui1, ui2, udiff ;

/* Initialize ui1 and ui2 */

udiff = ui1 - ui2;
if (udiff > ui1 || udiff > ui2) {
  /* handle error condition */
}

...

The unsigned integer wrap can result in allocating memory of insufficient size.

Compliant Solution

This compliant solution tests the operands of the multiplication to guarantee that there is no unsigned integer wrap.

...

Code Block
bgColor#FFcccc
unsigned int ui1, ui2, uresult;

/* Initialize ui1 and ui2 */

uresult = ui1 << ui2;

Compliant Solution

This compliant solution tests the operands of the left shift to guarantee there is no possibility of unsigned wrap. This solution must also be compliant with INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.

...