Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft C/C++test 2023.1

Integer operations must result in an integer value within the range of the integer type (that is, the resulting value is the same as the result produced by unlimited-range integers). Frequently, the range is more restrictive based restrictive depending on the use of the integer value, for example, as an index. Integer values can be verified by code review or by static analysis.

Integer overflow is undefined behavior, so a compiled program can do anything, including go off to play the Game of Life. Furthermore, a compiler may perform optimizations that assume an overflow will never occur, which can easily yield unexpected results. Compilers can optimize away if statements that check whether an overflow occurred. See MSC15-C. Do not depend on undefined behavior for an example.

Verifiably in-range operations are often preferable to treating out-of-range values as an error condition because the handling of these errors has been repeatedly shown to cause Wiki MarkupVerifiably in range operations are often preferable to treating out of range values as an error condition because the handling of these errors has been repeatedly shown to cause denial-of-service problems in actual applications. The quintessential example of this is the failure of the Ariane 5 launcher, which occurred due to an improperly handled conversion error that resulted in the processor being shut down \[[Lions 96|AA. C References#Lions 96]\].occurred because of an improperly handled conversion error that resulted in the processor being shut down [Lions 1996].

A program that detects an integer overflow to be imminent Faced with an integer overflow, the underlying computer system may do one of two things: (1) signal some sort of error condition , or (2) produce an integer result that is within the range of representable integers on that system. The latter semantics may be preferable in some situations in that Some situations can be handled by an error condition, where an overflow causes a change in control flow (such as the system complaining about bad input and requesting alternative input from the user). Others are better handled by the latter option because it allows the computation to proceed and generate an integer result, thus thereby avoiding a denial-of-service attack. However, it raises when continuing to produce an integer result in the face of overflow, the question of what integer result to return to the user must be considered.

The saturation and modwrap algorithms and the technique of restricted range usage, defined in the following subsections, produce integer results that are always within a defined range. This range is between the integer values MIN and MAX (inclusive), where MIN and MAX are two representable integers with MIN < MAX.

Saturation Semantics

For saturation semantics, assume that the mathematical result of the computation is result. The value actually returned to the user is set out in the following table:

range

Range of

mathematical result result returned

Mathematical Result

Result Returned

MAX < result

MAX

MIN <= result <= MAX

result

result < MIN

MIN

Modwrap Semantics

Wiki MarkupIn modwrap semantics (also called _modulo_ arithmetic), integer values "wrap round." That is, adding one to {{MAX}} produces {{MIN}}. This is the defined behavior for unsigned integers in the C Standard \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] (see Section 1 to MAX produces MIN. This is the defined behavior for unsigned integers in the C Standard, subclause 6.2.5, "Types," paragraph 9) and is frequently the behavior of signed integers as well. However, it is more sensible in many applications to use saturation semantics instead of modwrap semantics. For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow rather than suddenly becoming a very small 9. It is frequently the behavior of signed integers, as well. However, it is more sensible in many applications to use saturation semantics instead of modwrap semantics. For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow rather than to suddenly become a very small value.

Restricted Range Usage

Wiki Markup
Another tool for avoiding integer overflow is to use only half the range of signed integers.&nbsp; For example, when using an {{int}}, use only the range \[{{INT_MIN}}/2, {{INT_MAX}}/2\].&nbsp; This has been a trick of the trade in Fortran for some time, and now that optimizing C compilers are becoming more sophisticated, it can be valuable in C.

Non-Compliant Code Example

Another technique for avoiding integer overflow is to use only half the range of signed integers. For example, when using an int, use only the range [INT_MIN/2, INT_MAX/2]. This practice has been a trick of the trade in Fortran for some time, and now that optimizing C compilers are more sophisticated, it can be valuable in C.

Consider subtraction. If the user types the expression a - b, where both a and b are in the range [INT_MIN/2, INT_MAX/2], the result will be in the range (INT_MIN, INT_MAX] for a typical two's complement machine.

Now, if the user types a < b, an implicit subtraction often occurs. On a machine without condition codes, the compiler may simply issue a subtract instruction and check whether the result is negative. This behavior is allowed because the compiler is allowed to assume there is no overflow. If all explicitly user-generated values are kept in the range [INT_MIN/2, INT_MAX/2], then comparisons will always work even if the compiler performs this optimization on such hardware.

Noncompliant Code Example

In this noncompliant In the following non-compliant example, i + 1 will overflow on a 16-bit machine.   The C standard Standard allows signed integers to overflow and produce incorrect results. Compilers can take advantage of this to produce faster code by assuming an overflow will not occur.   As a result, the if statement that is intended to catch an overflow might be optimized away.

Code Block
bgColor#ffcccc
langc

int i = /* some expressionExpression that evaluates to the value 32767 */;
/* ... */
if (i + 1 <= i) {
  /* handleHandle overflow */
}
/* expressionExpression involving i + 1 */

Compliant Solution

Using a long instead of an int is guaranteed to accommodate the computed value.:

Code Block
bgColor#ccccff
langc

long i = /* someExpression expression that evaluates to the value 32767 */;
/* ... */
/* No test is necessary; i is known not to overflow. */
/* expressionExpression involving i + 1 */

Non-Compliant Code Example

Increasingly optimization techniques are being adopted that ignore the possibility of integer overflow to produce faster code. For example, in gcc versions 4.2 and later, code that performs length checks similar to the following:

Code Block
bgColor#ffcccc

char *buf;
int len = 1<<30;
/* ... */
if (buf+len < buf) { /* length check */
   /* perform some manipulation on len */
}

Wiki Markup
are optimized away; no object code to perform the check will appear in the resulting executable program \[[VU#162289|AA. C References#VU#162289]\]. 

Compliant Solution

Test for the possibility of overflow without performing the operation (see INT32-C. Ensure that integer operations do not result in an overflow for more information).

Code Block
bgColor#ccccff

char *buf;
size_t len = 1 << 30;
/* ... */
if (SIZE_MAX - len < buf) {  /* length check */
  /* perform some operation using len */
}

Risk Assessment

Out-of-range integer values can result in fetches or stores from reading from or writing to arbitrary memory locations and the execution of arbitrary code.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT08-

A

2 (medium)

2 (probable)

1 (high)

C

Medium

Probable

High

P4

L3

Automated Detection

...

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
integer-overflowFully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-INT08
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.SIZE.ADDOFLOW

ALLOC.SIZE.IOFLOW

ALLOC.SIZE.MULOFLOW

ALLOC.SIZE.SUBUFLOW

MISC.MEM.SIZE.ADDOFLOW

MISC.MEM.SIZE.BAD

MISC.MEM.SIZE.MULOFLOW

MISC.MEM.SIZE.SUBUFLOW

Addition Overflow of Allocation Size

Integer Overflow of Allocation Size

Multiplication Overflow of Allocation Size

Subtraction Underflow of Allocation Size

Addition Overflow of Size

Unreasonable Size Argument

Multiplication Overflow of Size

Subtraction Underflow of Size

Compass/ROSE



Could detect violations of this recommendation by flagging any comparison expression involving addition that could potentially overflow. For example, instead of comparing a + b < c (where b and c are compile-time constants) and b > c, the code should compare a < c - b. (This assumes a, b, c are unsigned ints. Usually b is small and c is an upper bound such as INT_MAX.)

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C2800,  C2910

DF2801, DF2802, DF2803, DF2911, DF2912, DF2913


LDRA tool suite
Include Page
LDRA_V
LDRA_V

488 S, 493 S, 493 S

Partially implemented

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-INT08-a
CERT_C-INT08-b
CERT_C-INT08-c
CERT_C-INT08-d

Avoid data loss when converting between integer types
Avoid signed integer overflows
Avoid value change when converting between integer types
Avoid wraparounds when performing arithmetic integer operations

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

648, 650, 679, 680, 776,
952, 2704

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. INT08-CChecks for integer overflow or integer constant overflow (rec. fully covered)


Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Lions 96|AA. C References#Lions 96]\]
\[[VU#162289|AA. C References#VU#162289]\]

Related Guidelines

Bibliography


...

Image Added Image Added Image AddedINT07-A. Use only explicitly signed or unsigned char type for numeric values      04. Integers (INT)       INT09-A. Ensure enumeration constants map to unique values