...
When calling a formatted input stream function , like istream::operator>>(), information about conversion errors is queried through the basic_ios::good(), basic_ios::bad(), and basic_ios::fail() inherited member functions or through exception handling if it is enabled on the stream object.
When calling num_get<>::get(), information about conversion errors is returned to the caller through the ios_base::iostate& argument. The C++ Standard, section [facet.num.get.virtuals], paragraph 3 states, in part 3 [ISO/IEC 14882-2014], in part, states the following:
If the conversion function fails to convert the entire field, or if the field represents a value outside the range of representable values,
ios_base::failbitis assigned toerr.
Always explicitly check the error state of a conversion from string to a numeric value (or handle the related exception, if applicable) instead of assuming the conversion results in a valid value. This rule is in addition to ERR34-C. Detect errors when converting a string to a number, which bans the use of conversion functions that do not perform conversion validation such as std::atoi() and std::scanf() from the C Standard Library.
Noncompliant Code Example
...
In this compliant solution, each converted value read from the standard input stream is tested for validity before reading the next value in the sequence, allowing error recovery on a per-value basis. It checks std::istream::fail() to see if the failure bit was set due to a conversion failure or whether the bad bit was set due to a loss of integrity with the stream object. If a failure condition is encountered, it is cleared on the input stream and then characters are read and discarded until a ' ' character occurs. Note that the (space) character occurs. The error handling in this case only works if a space character is what delimits the two numeric values to be converted.
...
It is rare for a violation of this rule to result in a security vulnerability unless it occurs in security-sensitive code. However, violations of this rule can easily result in lost or misinterpreted data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ERR62-CPP | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| Axivion Bauhaus Suite |
| CertC++-ERR62 | |||||||
|
| Checked by clang-tidy; only identifies use of unsafe C Standard Library functions corresponding to ERR34-C | |||||||
| CodeSonar |
| BADFUNC.ATOF | Use of atof | ||||||
| Helix QAC |
| C++3161 | |||||||
| Klocwork |
| CERT.ERR.CONV.STR_TO_NUM | |||||||
| Parasoft C/C++test |
| CERT_CPP-ERR62-a | The library functions atof, atoi and atol from library stdlib.h shall not be used | ||||||
| Polyspace Bug Finder |
| CERT C++: ERR62-CPP | Checks for unvalidated string-to-number conversion (rule fully covered) |
Related Vulnerabilities
Search for other vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C Coding Standard | |
| MITRE CWE | CWE-676, Use of potentially dangerous function CWE-20, Insufficient input validation |
Bibliography
| [ISO/IEC 9899:1999] | Subclause 7.22.1, "Numeric conversion functions" Subclause 7.21.6, "Formatted input/output functions" |
| [ISO/IEC 14882-2014] | Subclause 22.4.2.1.1, "num_get members" |
...
...