Integer overflow is undefined behavior. This means that implementations have a great deal of latitude in how they deal with signed integer overflow. An implementation that defines signed integer types as being modulo, for example, does need not detect integer overflow. Implementations may also trap on signed arithmetic overflows, or simply assume that overflows will never happen and generate object code accordingly (see MSC15-AC. Do not depend on undefined behavior). For these reasons, it is important to ensure that operations on signed integers do no result in signed overflow. Of particular importance, however, are operations on signed integer values that originate from untrusted sources and are used in any of the following ways:
...
Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type (see ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules about adding a pointer to an integer). Incrementing is equivalent to adding one.
...
Noncompliant Code Example
This non-compliant noncompliant code example may result in a signed integer overflow during the addition of the signed operands si1 and si2. If this behavior is unanticipated, it can lead to an exploitable vulnerability.
...
This compliant solution only works on architectures that use two's complement representation. While most modern platforms use two's complement representation, it is best not to introduce unnecessary platform dependencies when practical (see MSC14-AC. Do not introduce unnecessary platform dependencies).
Compliant Solution (General)
...
Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or between a pointer to an object type and an integer type. See ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules about pointer subtraction. Decrementing is equivalent to subtracting one.
...
Noncompliant Code Example
This non-compliant noncompliant code example can result in a signed integer overflow during the subtraction of the signed operands si1 and si2. If this behavior is unanticipated, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that can lead to an exploitable vulnerability.
...
This compliant solution only works on architectures that use two's complement representation. While most modern platforms use two's complement representation, it is best not to introduce unnecessary platform dependencies when practical (see MSC14-AC. Do not introduce unnecessary platform dependencies).
| Anchor | ||||
|---|---|---|---|---|
|
...
Multiplication is between two operands of arithmetic type.
...
Noncompliant Code Example
This non-compliant noncompliant code example can result in a signed integer overflow during the multiplication of the signed operands si1 and si2. If this behavior is unanticipated, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that can lead to an exploitable vulnerability.
...
Division is between two operands of arithmetic type. Overflow can occur during two's-complement signed integer division when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to -1. Division operations are also susceptible to divide-by-zero errors (see INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors).
...
Noncompliant Code Example
This code can result in a signed integer overflow during the division of the signed operands sl1 and sl2 or in a divide-by-zero error. The IA-32 architecture, for example, requires that both conditions result in a fault, which can easily result in a denial-of-service attack.
...
The modulo operator provides the remainder when two operands of integer type are divided.
...
Noncompliant Code Example
This code can result in a divide-by-zero or an overflow error during the modulo operation on the signed operands sl1 and sl2. Overflow can occur during a modulo operation when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to -1.
...
The unary negation operator takes an operand of arithmetic type. Overflow can occur during two's-complement unary negation when the operand is equal to the minimum (negative) value for the signed integer type.
...
Noncompliant Code Example
This non-compliant noncompliant code example can result in a signed integer overflow during the unary negation of the signed operand si1.
...
The left shift operator is between two operands of integer type.
...
Noncompliant Code Example
This non-compliant noncompliant code example can result in signed integer overflow.
...
Fortify SCA Version 5.0 with CERT C Rule Pack is able to can detect violations of this rule.
...