...
The left-shift operator takes two integer operands. The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with zeros.
The C Standard, 66.5.78, paragraph 4 [ISO/IEC 9899:20112024], states
If
E1has a signed type and nonnegative value, andE1 × 2E2is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined.
In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a logic error. These issues are covered by INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.
Noncompliant Code Example
This noncompliant code example performs a left shift, after verifying that the number being shifted is not negative, and the number of bits to shift is valid. The PRECISION() macro and popcount() function provide the correct precision for any integer type. (See INT35-C. Use correct integer precisions.) However, because this code does no overflow check, it can result in an unrepresentable value.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <limits.h>
#include <stddef.h>
#include <inttypes.h>
extern size_t popcount(uintmax_t);
#define PRECISION(umax_value) popcount(umax_value)
void func(signed long si_a, signed long si_b) {
signed long result;
if ((si_a < 0) || (si_b < 0) ||
(si_b >= PRECISION(ULONG_MAX))) {
/* Handle error */
} else {
result = si_a << si_b;
}
/* ... */
} |
Compliant Solution
This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:
...
Tool | Version | Checker | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| integer-overflow | Fully checked | ||||||||||||||||
| CodeSonar |
| ALLOC.SIZE.ADDOFLOW | Addition overflow of allocation size | ||||||||||||||||
| Coverity |
| TAINTED_SCALAR BAD_SHIFT | Implemented | ||||||||||||||||
| Cppcheck Premium |
| premium-cert-int32-c | Partially implemented | ||||||||||||||||
| Helix QAC |
| C2800 | , C2801, C2802, | C2803, C2860 | , C2861, C2862, C2863C++2800, C++ | 2801, C++2802, C++2803, C++2860, C++2861, C++2862, C++28632860 DF2801, DF2802, DF2803, DF2861, DF2862, DF2863 | |||||||||||||
| Klocwork |
| CWARNNUM.OVERFLOW | |||||||||||||||||
| LDRA tool suite |
| 493 S, 494 S | Partially implemented | ||||||||||||||||
| Parasoft C/C++test |
| CERT_C-INT32-a | Avoid signed integer overflows | ||||||||||||||||
| Parasoft Insure++ | Runtime analysis | ||||||||||||||||||
| Polyspace Bug Finder |
| Checks for:
Rule partially covered. | PRQA QA-C | ||||||||||||||||
| Include Page | PRQA QA-C_v | 2800, 2801, 2802, 2803, 2860, 2861, 2862, 2863 | Fully implemented | PRQA QA-C++ | |||||||||||||||
| Include Page | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | |||||||||||||||||
2800, 2801, 2802, 2803, 2860, 2861, 2862, 2863 | PVS-Studio |
| V1026, V1070, V1081, V1083, V1085, V5010 | ||||||||||||||||
| TrustInSoft Analyzer |
| signed_overflow | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
| [Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223) |
| [ISO/IEC 9899:20112024] | Subclause 6.5.58, "Multiplicative OperatorsBitwise shift operators" |
| [Seacord 2013b] | Chapter 5, "Integer Security" |
| [Viega 2005] | Section 5.2.7, "Integer Overflow" |
| [Warren 2002] | Chapter 2, "Basics" |
...