Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When a value with integer type is converted to another integer type other than _Bool, if the value can be represented by the new type, it is unchanged.

Otherwise, if the new type is unsigned, the value is converted by repeatedly adding or subtracting one more than the maximum value that can be represented in the new type until the value is in the range of the new type.

Otherwise, the new type is signed and the value cannot be represented in it; either the result is implementation-defined or an implementation-defined signal is raised.

...

Type range errors, including loss of data (truncation) and loss of sign (sign errors), can occur when converting from an unsigned type to a signed type. The following noncompliant code example results in a truncation error on most implementations.

Code Block
bgColor#FFcccc
langc
unsigned long int ul = ULONG_MAX;
signed char sc;
sc = (signed char)ul; /* cast eliminates warning */

...

A loss of data (truncation) can occur when converting from an unsigned type to an unsigned type with less precision. The following code results in a truncation error on most implementations.

Code Block
bgColorFFcccc
langc
unsigned long int ul = ULONG_MAX;
unsigned char uc = (unsigned char)ul;  /* cast eliminates warning */

...

INT31-EX1: The C standard defines minimum ranges for standard integer types. For example, the minimum range for an object of type unsigned short int is 0 to 65,535, while the minimum range for int is −32,767 to +32,767. This means that it is not always possible to represent all possible values of an unsigned short int as an int. However, on the IA-32 architecture, for example, the actual integer range is from −2,147,483,648 to +2,147,483,647, meaning that it is quite possible to represent all the values of an unsigned short int as an int for this architecture. As a result, it is not necessary to provide a test for this conversion on IA-32. It is not possible to make assumptions about conversions without knowing the precision of the underlying types. If these tests are not provided, assumptions concerning precision must be clearly documented, as the resulting code cannot be safely ported to a system where these assumptions are invalid. A good way to document these assumptions is by using static assertions. (See DCL03-C. Use a static assertion to test the value of a constant expression.)

Risk Assessment

Integer truncation errors can lead to buffer overflows and the execution of arbitrary code by an attacker.

...

Tool

Version

Checker

Description

LDRA tool suite

Include Page
LDRA_V
LDRA_V

93 S
433 S
434 S

Fully implemented.

Fortify SCA

V. 5.0

 

Can detect violations of this rule with CERT C Rule Pack.

Compass/ROSE

  

Can detect violations of this rule. However, false warnings may be raised if limits.h is included.

Klocwork

Include Page
Klocwork_V
Klocwork_V

PRECISION.LOSS

 

Coverity Prevent

Include Page
Coverity_V
Coverity_V

NEGATIVE_RETURNS

Can find array accesses, loop bounds, and other expressions that may contain dangerous implied integer conversions that would result in unexpected behavior.

Coverity Prevent

Include Page
Coverity_V
Coverity_V

REVERSE_NEGATIVE

Can find instances where a negativity check occurs after the negative value has been used for something else.

Coverity Prevent

Include Page
Coverity_V
Coverity_V

MISRA_CAST

Can find the instances where an integer expression is implicitly converted to a narrower integer type, or implicitly converting the signedness of an integer value or implicitly converting the type of a complex expression.

...

ISO/IEC 9899:2011 6.3, "Conversions"

ISO/IEC TR 24772 "FLC Numeric conversion errors"

MISRA Rules 10.1, 10.3, 10.5, and 12.9

MITRE CWE: CWE-192, "Integer coercion error," CWE-197, "Numeric truncation error," and CWE-681, "Incorrect conversion between numeric types"

Bibliography

[Dowd 2006] Chapter 6, "C Language Issues" ("Type conversions," pp. 223–270)
[Seacord 2005a] Chapter 5, "Integers"
[Viega 2005] Section 5.2.9, "Truncation error," Section 5.2.10, "Sign extension error," Section 5.2.11, "Signed to unsigned conversion error," and Section 5.2.12, "Unsigned to signed conversion error"
[Warren 2002] Chapter 2, "Basics"
[xorl 2009] "CVE-2009-1376: Pidgin MSN SLP integer truncation"

...