...
The only integer type conversions that are guaranteed to be safe for all data values and all possible conforming implementations are conversions of an integral value to a wider type of the same signedness.
The C Standard, subclause 6.3.1.3 [ISO/IEC 9899:20112024], says
When a value with integer type is converted to another integer type other than
_Bool
, if the value can be represented by the new type, it is unchanged.Otherwise, if the new type is unsigned, the value is converted by repeatedly adding or subtracting one more than the maximum value that can be represented in the new type until the value is in the range of the new type.
Otherwise, the new type is signed and the value cannot be represented in it; either the result is implementation-defined or an implementation-defined signal is raised.
...
Type range errors, including loss of data (truncation) and loss of sign (sign errors), can occur when converting from a value of a signed type to a value of an unsigned type. This noncompliant code example results in a loss of sign:a negative number being misinterpreted as a large positive number.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <limits.h> void func(void) { signed int si = INT_MIN;) { /* Cast eliminates warning */ unsigned int ui = (unsigned int)si; /* ... */ } /* ... */ func(INT_MIN); |
Compliant Solution (Signed to Unsigned)
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <limits.h> void func(void) { signed int si = INT_MIN;) { unsigned int ui; if (si < 0) { /* Handle error */ } else { ui = (unsigned int)si; /* Cast eliminates warning */ } /* ... */ } /* ... */ func(INT_MIN + 1); |
Subclause 6.Subclause 6.2.5, paragraph 911, of the C Standard [ISO/IEC 9899:20112024] provides the necessary guarantees to ensure this solution works on a conforming implementation:
...
This solution is in accordance with INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size. Note that (time_+t)-1
also complies with INT31-C-EX3.
Noncompliant Code Example (memset()
)
For historical reasons, certain C Standard functions accept an argument of type int
and convert it to either unsigned char
or plain char
. This conversion can result in unexpected behavior if the value cannot be represented in the smaller type. This noncompliant solution unexpectedly clears the array:The second argument to memset()
is an example; it indicates what byte to store in the range of memory indicated by the first and third arguments. If the second argument is outside the range of a signed char
or plain char
, then its higher order bits will typically be truncated. Consequently, this noncompliant solution unexpectedly sets all elements in the array to 0, rather than 4096:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <string.h> #include <stddef.h> int *init_memory(int *array, size_t n) { return memset(array, 4096, n); } |
...
Conversions to signed character types are more problematic.
The C Standard, subclause 6.3.1.3, paragraph 3 [ISO/IEC 9899:20112024], says, regarding conversions
...
Furthermore, subclause 6.2.6.2, paragraph 2, says, regarding integer modifications
If the sign Each bit that is one, the a value bit shall be modified in one of the following ways:
— the corresponding value with sign bit 0 is negated (sign and magnitude)
— the sign bit has the value −(2M ) (two’s complement);
— the sign bit has the value −(2M − 1) (ones’ complement).
Which of these applies is implementation-defined, as is whether the value with sign bit 1 and all value bits zero (for the first two), or with sign bit and all value bits 1 (for ones’ complement), is a trap representation or a normal value. [See note.]
NOTE: Two's complement is shorthand for "radix complement in radix 2." Ones' complement is shorthand for "diminished radix complement in radix 2."
Consequently, the standard allows for this code to trap:
have the same value as the same bit in the object representation of the corresponding unsigned type. If the sign bit is zero, it shall not affect the resulting value. If the sign bit is one, it has value −(2N−1). There may or may not be any padding bits signed char shall not have any padding bits.
Consequently, the standard allows for this code to trap:
Code Block |
---|
int |
Code Block |
int i = 128; /* 1000 0000 in binary */
assert(SCHAR_MAX == 127);
signed char c = i; /* can trap */
|
...
Implementations with such trap representations are thought to have existed in the past. Your author was unable to locate any documents describing such processors.
Risk Assessment
Integer truncation errors can lead to buffer overflows and the execution of arbitrary code by an attacker.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT31-C | High | Probable | High | P6 | L2 |
Automated Detection
INT31-C-EX3: The C Standard, subclause 7.29.2.5, paragraph 3 [ISO/IEC 9899:2024] says:
The time function returns the implementation’s best approximation to the current calendar time. The value (time_t)(-1) is returned if the calendar time is not available.
If time_t
is an unsigned type, then the expression ((time_t) (-1))
is guaranteed to yield a large positive value.
Therefore, conversion of a negative compile-time constant to an unsigned value with the same or larger width is permitted by this rule. This exception does not apply to conversion of unsigned to signed values, nor does it apply if the resulting value would undergo truncation.
Risk Assessment
Integer truncation errors can lead to buffer overflows and the execution of arbitrary code by an attacker.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT31-C | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | |||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported via MISRA C:2012 Rules 10.1, 10.3, 10.4, 10.6 and 10.7 | ||||||||||||||||||||||||||||||||||||||||||||||
CodeSonar |
| LANG.CAST.PC.AV LANG.CAST.COERCE ALLOC.SIZE.TRUNC LANG.MEM.TBA | Cast: arithmetic type/void pointer Coercion alters value Truncation of allocation size Tainted buffer access | |||||||||||||||||||||||||||||||||||||||||||||
Compass/ROSE | Can detect violations of this rule. However, false warnings may be raised if | |||||||||||||||||||||||||||||||||||||||||||||||
| NEGATIVE_RETURNS REVERSE_NEGATIVE MISRA_CAST | Can find array accesses, loop bounds, and other expressions that may contain dangerous implied integer conversions that would result in unexpected behavior Can find instances where a negativity check occurs after the negative value has been used for something else Can find instances where an integer expression is implicitly converted to a narrower integer type, where the signedness of an integer value is implicitly converted, or where the type of a complex expression is implicitly converted | ||||||||||||||||||||||||||||||||||||||||||||||
Cppcheck |
| memsetValueOutOfRange | Partially implemented The second argument to | |||||||||||||||||||||||||||||||||||||||||||||
Cppcheck Premium |
| memsetValueOutOfRange premium-cert-int31-c | Partially implemented The second argument to memset() cannot be represented as unsigned char | |||||||||||||||||||||||||||||||||||||||||||||
Helix QAC |
| C2850, C2855, C2890, C2895, C2900, C2905, C++2850, C++2855, C++2890, C++2895, C++2900, C++2905, C++3000, C++3010 DF2851, DF2852, DF2853, DF2856, DF2857, DF2858, DF2891, DF2892, DF2893, DF2896, DF2897, DF2898, DF2901, DF2902, DF2903, DF2906, DF2907, DF2908 | ||||||||||||||||||||||||||||||||||||||||||||||
Klocwork |
| PORTING.CAST.SIZE | ||||||||||||||||||||||||||||||||||||||||||||||
LDRA tool suite |
| 93 S, 433 S, 434 S | Partially implemented | |||||||||||||||||||||||||||||||||||||||||||||
Parasoft C/C++test |
| CERT_C-INT31-a | An expression of essentially Boolean type should always be used where an operand is interpreted as a Boolean value | |||||||||||||||||||||||||||||||||||||||||||||
Tool | Version | Checker | Description | |||||||||||||||||||||||||||||||||||||||||||||
Astrée | ||||||||||||||||||||||||||||||||||||||||||||||||
Include Page | Astrée_V | Astrée_V | Supported via MISRA C:2012 Rules 10.1, 10.3, 10.4, 10.6 and 10.7 | CodeSonar | ||||||||||||||||||||||||||||||||||||||||||||
Include Page | CodeSonar_V | CodeSonar_V | LANG.CAST.PC.AV LANG.CAST.COERCE ALLOC.SIZE.TRUNC LANG.MEM.TBA | Cast: arithmetic type/void pointer Coercion alters value Truncation of allocation size Tainted buffer access | Compass/ROSE | Can detect violations of this rule. However, false warnings may be raised if | ||||||||||||||||||||||||||||||||||||||||||
Include Page | Coverity_V | Coverity_V | NEGATIVE_RETURNS REVERSE_NEGATIVE MISRA_CAST | Can find array accesses, loop bounds, and other expressions that may contain dangerous implied integer conversions that would result in unexpected behavior Can find instances where a negativity check occurs after the negative value has been used for something else Can find instances where an integer expression is implicitly converted to a narrower integer type, where the signedness of an integer value is implicitly converted, or where the type of a complex expression is implicitly converted | Cppcheck | |||||||||||||||||||||||||||||||||||||||||||
Include Page | Cppcheck_V | Cppcheck_V | memsetValueOutOfRange | The second argument to memset() cannot be represented as unsigned char | Klocwork | |||||||||||||||||||||||||||||||||||||||||||
Include Page | Klocwork_V | Klocwork_V | LDRA tool suite | |||||||||||||||||||||||||||||||||||||||||||||
Include Page | LDRA_V | LDRA_V | 93 S, 433 S, 434 S | Partially implemented | Parasoft C/C++test | |||||||||||||||||||||||||||||||||||||||||||
Include Page | Parasoft_V | Parasoft_V | CERT_C-INT31-a | An expression of essentially Boolean type should always be used where an operand is interpreted as a Boolean value | Polyspace Bug Finder | |||||||||||||||||||||||||||||||||||||||||||
Include Page | Polyspace Bug Finder_V | Polyspace Bug Finder_V | essential type | with a narrower essential type or of a different essential type category | operand of an operator in which the usual arithmetic conversions are performed operand of an operator in which the usual arithmetic conversions are performed then the other operand shall not have wider essential type | |||||||||||||||||||||||||||||||||||||||||||
Polyspace Bug Finder |
| Checks for:
Rule partially covered. | PRQA QA-C | |||||||||||||||||||||||||||||||||||||||||||||
Include Page | PRQA QA-C_v | PRQA QA-C_v | 2850, 2851, 2852, 2853, 2855, 2856, 2857, 2858, 2890, 2891, 2892, 2893, 2895, 2896, 2897, 2898 2900, 2901, 2902, 2903, 2905, 2906, 2907, 2908 | Partially implemented | PRQA QA-C++ | Include Page | | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | |||||||||||||||||||||||||||||||||||||||
PVS-Studio |
| V562, V569, V642, V676, V716, V721, V724, V732, V739, V784, V793, V1019, V1029, V1046 | ||||||||||||||||||||||||||||||||||||||||||||||
RuleChecker |
| Supported via MISRA C:2012 Rules 10.1, 10.3, 10.4, 10.6 and 10.7 | ||||||||||||||||||||||||||||||||||||||||||||||
TrustInSoft Analyzer |
| signed_downcast | Exhaustively verified. |
* Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.
...
[Dowd 2006] | Chapter 6, "C Language Issues" ("Type Conversions," pp. 223–270) |
[ISO/IEC 9899:20112024] | 6.3.1.3, "Signed and Unsigned Integers" 6.2.5, "Types" 7.29.2.5, "The time function" |
[Jones 2008] | Section 6.2.6.2, "Integer Types" |
[Seacord 2013b] | Chapter 5, "Integer Security" |
[Viega 2005] | Section 5.2.9, "Truncation Error" Section 5.2.10, "Sign Extension Error" Section 5.2.11, "Signed to Unsigned Conversion Error" Section 5.2.12, "Unsigned to Signed Conversion Error" |
[Warren 2002] | Chapter 2, "Basics" |
[xorl 2009] | "CVE-2009-1376: Pidgin MSN SLP Integer Truncation" |
...