The C Standard, 6.2.5, paragraph 9 11 [ISO/IEC 9899:20112024], states
A computation involving unsigned operands can never produce an overflow, because a result that cannot be represented by the resulting unsigned integer type is reduced modulo the number that is one greater than the largest value that can be represented by the resulting typearithmetic for the unsigned type is performed modulo 2^N .
This behavior is more informally called unsigned integer wrapping. Unsigned integer operations can wrap if the resulting value cannot be represented by the underlying representation of the integer. The following table indicates which operators can result in wrapping:
...
Tool | Version | Checker | Description | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| integer-overflow | Fully checked | CodeSonar|||||||||||||||||||||||
Axivion Bauhaus Suite |
| CodeSonar
| CodeSonar
| CertC-INT30 | Implemented | |||||||||||||||||||||
CodeSonar |
| ALLOC. | ALLOC.SIZE.ADDOFLOW | Addition overflow of allocation size | ||||||||||||||||||||||
Compass/ROSE | Can detect violations of this rule by ensuring that operations are checked for overflow before being performed (Be mindful of exception INT30-EX2 because it excuses many operations from requiring validation, including all the operations that would validate a potentially dangerous operation. For instance, adding two | |||||||||||||||||||||||||
Coverity |
| INTEGER_OVERFLOW | Implemented | Klocwork|||||||||||||||||||||||
Cppcheck Premium |
| Klocwork
| Klocwork
| NUM.OVERFLOW CWARN.NOEFFECT.OUTOFRANGE | premium-cert-int30-c | Partially implemented | ||||||||||||||||||||
Helix QACLDRA tool suite |
| LDRA
| LDRA
| 493 S, 494 S | Partially implemented | Parasoft C/C2910, C3383, C3384, C3385, C3386 C++ | test||||||||||||||||||||
Include Page | Parasoft_V | Parasoft_V | BD-PB-INTOVERF, PB-66_a, PB-66_b | Implemented | 2910 DF2911, DF2912, DF2913, | |||||||||||||||||||||
Klocwork |
| NUM.OVERFLOW | ||||||||||||||||||||||||
LDRA tool suite |
| 493 S, 494 S | Partially implemented | |||||||||||||||||||||||
Parasoft C/C++test |
| CERT_C-INT30-a | Avoid wraparounds when performing arithmetic integer operations | |||||||||||||||||||||||
Polyspace Bug Finder |
| CERT C: Rule INT30-C | Checks for:
Rule partially covered. | Polyspace Bug Finder | ||||||||||||||||||||||
Include Page | Polyspace Bug Finder_V | Polyspace Bug Finder_V | Unsigned integer overflow | Overflow from operation between unsigned integers | PRQA QA-C | |||||||||||||||||||||
Include Page | PRQA QA-C_v | PRQA QA-C_v | 2910 (C) | Partially implemented | PRQA QA-C++ | Include Page | | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | 2910, 2911, 2912, 2913|||||||||||||||||
PVS-Studio |
| V658, V1012, V1028, V5005, V5011 | ||||||||||||||||||||||||
TrustInSoft Analyzer | RuleChecker
| RuleChecker
| RuleChecker
| integer-unsigned overflow | Fully checkedExhaustively verified. |
Related Vulnerabilities
CVE-2009-1385 results from a violation of this rule. The value performs an unchecked subtraction on the length
of a buffer and then adds those many bytes of data to another buffer [xorl 2009]. This can cause a buffer overflow, which allows an attacker to execute arbitrary code.
...
[Bailey 2014] | Raising Lazarus - The 20 Year Old Bug that Went to Mars |
[Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223) |
[ISO/IEC 9899:20112024] | Subclause 6.2.5, "Types" |
[Seacord 2013b] | Chapter 5, "Integer Security" |
[Viega 2005] | Section 5.2.7, "Integer Overflow" |
[VU#551436] | |
[Warren 2002] | Chapter 2, "Basics" |
[Wojtczuk 2008] | |
[xorl 2009] | "CVE-2009-1385: Linux Kernel E1000 Integer Underflow" |
...