Enumerations in C++ come in two forms: scoped enumerations , where in which the underlying type is fixed , and unscoped enumerations where in which the underlying type may or may not be fixed. The range of values that can be represented by either form of enumeration may include enumerator values not specified by the enumeration itself. The range of valid enumeration values for an enumeration type is defined by the C++ Standard, [dcl.enum], in paragraph 8 [ISO/IEC 14882-20142020]:
For an enumeration whose underlying type is fixed, the values of the enumeration are the values of the underlying the underlying type. Otherwise, for an enumeration where emin is the smallest enumerator and emax is the largest, the values of the enumeration are the values in the range bmin to bmax, defined as follows: Let K be
1for a two’s complement representation and0for a one’s complement or sign-magnitude representation. bmax is the smallest value greater than or equal to max(|emin| − K, |emax|) and equal to 2M − 1, where M is a non-negative integer. bmin is zero if emin is non-negative and −(bmax + K) otherwise. The size of the representable by a hypothetical integer type with minimal width M such that all enumerators can be represented. The width of the smallest bit-field large enough to hold all the values of the enumeration type is max(M, 1) if bmin is zero and M + 1 otherwise. It is possible to define an enumeration that has values not defined by any of its enumeratorsits enumerators. If the enumerator-list is empty, the values of the enumeration are as if the enumeration had a single a single enumerator with value 0.
According to the The C++ Standard, [expr.static.cast], paragraph 10, states the following:
A value of integral or enumeration type can be explicitly converted to a complete enumeration type. If the enumeration type has a fixed underlying type, the value is first converted to an to that type by integral conversion, if necessary, and then to the enumeration type. The value is unchanged If the enumeration type does not have a fixed underlying type, the value is unchanged if the original value is within the range of the enumeration values (9.7.2). Otherwise1), and otherwise, the resulting value is unspecified (and might not be in that range)behavior is undefined. A value of floating-point type can also be explicitly converted explicitly converted to an enumeration type. The resulting value is the same as converting the original value to the underlying the underlying type of the enumeration (47.3.910), and subsequently to the enumeration type.
To avoid operating on unspecified values, the arithmetic value being cast must be within the range of values the enumeration can represent. When dynamically checking for out-of-range values dynamically, it checking must be performed prior to before the cast expression.
Noncompliant Code Example (Bounds Checking)
This noncompliant code example attempts to check whether a given value is within the range of acceptable enumeration values. However, it is doing so after casting to the enumeration type, which may not be able to represent the given integer value. On a two's complement system, the valid range of values that can be represented by enum_type EnumType are : [0..3], so if a value outside of that range were passed to f(), the cast to enum_type would EnumType would result in an unspecified value, and using that value within the if statement results in unspecified behavior.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum enum_typeEnumType { E_AFirst, E_BSecond, E_CThird }; void f(int int_varintVar) { enum_type enum_varEnumType enumVar = static_cast<enum_type>(int_varcast<EnumType>(intVar); if (enum_varenumVar < E_AFirst || enum_varenumVar > E_CThird) { // Handle error } } |
Compliant Solution (Bounds Checking)
This compliant solution checks that the value is within the range of acceptable enumeration values before can be represented by the enumeration type before performing the conversion to guarantee there is no unspecified result. It further restricts the conversion does not result in an unspecified value. It does this by restricting the converted value to one for which there is a specific enumerator value.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum enum_typeEnumType { E_AFirst, E_BSecond, E_CThird }; void f(int int_varintVar) { if (int_varintVar < E_AFirst || int_varintVar > E_CThird) { // Handle error } enum_type enum_varEnumType enumVar = static_cast<enum_type>(int_varcast<EnumType>(intVar); } |
Compliant Solution (Scoped Enumeration)
This compliant solution uses a scoped enumeration, which has a fixed underlying int type of type int by default, allowing any value from the parameter to be converted into a valid enumeration value. It does not further restrict the converted value to one for which there is a specific enumerator value, but it could do so by using as shown in the previous compliant solution.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum class enum_typeEnumType { E_AFirst, E_BSecond, E_CThird }; void f(int int_varintVar) { enum_type enum_varEnumType enumVar = static_cast<enum_type>(int_varcast<EnumType>(intVar); } |
Compliant Solution (Fixed Unscoped Enumeration)
Similar to the previous compliant solution, this compliant solution uses an unscoped enumeration , but provides a fixed underlying int type of type int, allowing any value from the parameter to be converted into to a valid enumeration value:.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum enum_typeEnumType : int { E_AFirst, E_BSecond, E_CThird }; void f(int int_varintVar) { enum_type enum_varEnumType enumVar = static_cast<enum_type>(int_varcast<EnumType>(intVar); } |
While Although similar to the previous compliant solution, the previous this compliant solution differs from the noncompliant code example in the way the enumerator values are expressed in code and what which implicit conversions are allowed. The previous compliant solution requires a nested name specifier to identify the enumerator (e.g., enum_type::E_A), for example, EnumType::First) and will not implicitly convert the enumerator value to int. As with the noncompliant code example, this compliant solution does not allow a nested name specifier and will implicitly convert the enumerator value to int.
Risk Assessment
Unexpected behavior can lead to It is possible for unspecified values to result in a buffer overflow and , leading to the execution of arbitrary code by an attacker. This is most likely if the program in one case checks the value correctly and then fails to do so later. Such a situation could allow an attacker to avoid verification of a buffer's length, and so on.Automated detection should be possible for most cases, but it might not be able to guarantee if the value in rangeHowever, because enumerators are rarely used for indexing into arrays or other forms of pointer arithmetic, it is more likely that this scenario will result in data integrity violations rather than arbitrary code execution.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT50-CPP | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| Astrée |
| cast-integer-to-enum | Partially checked | ||||||
| Axivion Bauhaus Suite |
| CertC++-INT50 | |||||||
| CodeSonar |
| LANG.CAST.COERCE LANG.CAST.VALUE | Coercion Alters Value Cast Alters Value | ||||||
| Helix QAC |
| C++3013 | |||||||
| Parasoft C/C++test |
| CERT_CPP-INT50-a | An expression with enum underlying type shall only have values corresponding to the enumerators of the enumeration | ||||||
| PVS-Studio |
| V1016 | |||||||
| RuleChecker |
| cast-integer-to-enum | Partially checked | ||||||
| Polyspace Bug Finder |
| CERT C++: INT50-CPP | Checks for casting to out-of-range enumeration value (rule fully covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
Bibliography
| [ |
| Becker 2009] | Section 7.2, "Enumeration Declarations" |
| [ISO/IEC 14882-2020] | Subclause 5.2.9, "Static Cast" |
|
Declarations" |
...
...