SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 39

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 40

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The method Double.valueOf(String s) can return NaN or an infinite double, as specified by its contract. Programs should install checks to ensure that all floating point inputs (especially those obtained from the user) are free of unexpected exceptional values. The methods Double.isNaN(double d) and Double.isInfinite(double d) can be used for this purpose.

Noncompliant Code Example

This noncompliant code example accepts user data without validating it.

...

In this noncompliant example, entering NaN for val would cause currentBalance to be set to NaN, corrupting its value. If this value were used in other expressions, every resulting value would also become NaN, possibly corrupting important data.

Compliant Solution

This compliant solution validates the floating point input before using it. The value is tested to ensure that it is neither infinity, -infinity, nor NaN.

Code Block
bgColor#ccccff
double currentBalance; // User's cash balance

void doDeposit(String s){
  double val;
  try {
    val = Double.valueOf(userInput);
  }
  catch(NumberFormatException e) {
    // Handle input format error
  }

  if (Double.isInfinite(val)){
    // Handle infinity error
  }

  if (Double.isNaN(val)) {
    // Handle NaN error
  }

  if (val >= Double.MAX_VALUE - currentBalance) {
    // Handle range error
  }
  currentBalance += val;
}

Exceptions

FLP06FLP11-EX1: Occasionally, NaN or infinity may be acceptable as expected inputs to a program. In such cases, explicit checks might not be necessary. However, such programs must be prepared to handle these exceptional values gracefully and should prevent propagation of the exceptional values to other code that fails to handle exceptional values. The choice to permit input of exceptional values during ordinary operation should be explicitly documented.

Risk Assessment

Incorrect or missing validation of floating point input can result in miscalculations and unexpected results, possibly leading to inconsistent program behavior and Denial of Service (DoS).

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

NUM06 NUM11-J

low

probable

medium

P4

L3

Automated Detection

Automated detection is not feasible in the general case. It could be possible to develop a taint-like analysis that detects many interesting cases.

Related Vulnerabilities

HARMONY-6242, HARMONY-6268

Related Guidelines

C Secure Coding Standard: FLP04-C. Check floating point inputs for exceptional values

C++ Secure Coding Standard: FLP04-CPP. Check floating point inputs for exceptional values

Bibliography

Wiki Markup
\[[IEEE 754|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-IEEE7542006|IEEE 754]\]
\[[IEEE 1003.1, 2004|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-IEEE1003|IEEE 1003.1, 2004]\]

...