Integer values used in any of the following ways must be guaranteed correct:
- as an array index
- in any pointer arithmetic
- as a length or size of an object
- as the bound of an array (for example, a loop counter)
- in security-critical code
According to C99, Section 6.2.5, "Types":
...
The following sections examine specific operations that are susceptible to unsigned integer wrap. When operating on small types (smaller than int
), integer conversion rules apply. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Make sure you understand implicit conversion rules before trying to implement secure arithmetic operations (see INT02-A. Understand integer conversion rules).
Integer values that originate from untrusted sources must not be allowed to wrap if they are used in any of the following ways:
- as an array index
- in any pointer arithmetic
- as a length or size of an object
- as the bound of an array (for example, a loop counter)
- as an argument to a memory allocation function
- in security critical code
Anchor | ||||
---|---|---|---|---|
|
Addition
...