The Java Language Specification (JLS), Section 15 §15.17.3, "Remainder Operator %" [JLS 2013], states:,
The remainder operation for operands that are integers after binary numeric promotion (§5.6.2) produces a result value such that
(a/b)*b+(a%b)is equal toa. This identity holds even in the special case that the dividend is the negative integer of largest possible magnitude for its type and the divisor is-1(the remainder is0). It follows from this rule that the result of the remainder operation can be negative only if the dividend is negative, and can be positive only if the dividend is positive; moreover, the magnitude of the result is always less than the magnitude of the divisor.
Programmers may incorrectly assume that the remainder operation always returns a positive result, and may code accordingly. This can result in vulnerabilities.
The definition The result of the remainder operator specifies the following behaviorhas the same sign as the dividend (the first operand in the expression):
| Code Block |
|---|
5 % 3 produces 2 5 % (-3) produces 2 (-5) % 3 produces -2 (-5) % (-3) produces -2 |
The result has the same sign as the dividend (the first operand in the expression)As a result, code that depends on the remainder operation to always return a positive result is erroneous.
Noncompliant Code Example
This noncompliant code example uses the integer hashKey as an index into the hash array. The lookup function may fail, because the hash key input may be negative and so yield a negative result from the remainder operator; thus, the lookup function will throw a java.lang.ArrayIndexOutOfBoundsException for all negative inputs.
| Code Block | ||
|---|---|---|
| ||
private int SIZE = 16;
public int[] hash = new int[SIZE];
public int lookup(int hashKey) {
return hash[hashKey % SIZE];
}
|
A negative hash key produces a negative result from the remainder operator, causing the lookup() method to throw java.lang.ArrayIndexOutOfBoundsException.
Compliant Solution
This compliant solution calls a method that the imod() method, which always returns a modulus that is always positive.positive remainder:
| Code Block | ||
|---|---|---|
| ||
// methodMethod imod() gives non-negativenonnegative result private int SIZE = 16; public int[] hash = new int[SIZE]; private int imod(int i, int j) { int temp = i % j; return (temp < 0) ? -temp : temp; // unaryUnary -minus will succeed without overflow // because temp cannot be Integer.MIN_VALUE } public int lookup(int hashKey) { return hash[imod(hashKey, sizeSIZE)]; } |
...
Applicability
Assuming Incorrectly assuming a positive remainder when using the remainder operator from a remainder operation can result in incorrect computationserroneous code.
...
Automated Detection
| Severity Tool | Likelihood Version | Remediation Cost Checker | Priority Description Level | ||
|---|---|---|---|---|---|
| SonarQube | |||||
INT02-J | low | unlikely | high | P1 | L3 |
Automated Detection
Automated detection of uses of the % operator is straightforward. Sound determination of whether those uses correctly reflect the intent of the programmer is infeasible in the general case. Heuristic warnings may be useful.
Other Languages
This guideline appears in the C Secure Coding Standard as INT10-C. Do not assume a positive remainder when using the % operator.
This guideline appears in the C++ Secure Coding Standard as INT10-CPP. Do not assume a positive remainder when using the % operator,
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
| Wiki Markup |
|---|
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 15.17.3|http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.17.3] "Remainder Operators" |
| S2197 |
Bibliography
...
INT01-J. Check ranges before casting integers to narrower types 06. Integers (INT) INT03-J. Avoid casting numeric types to wider floating-point types without range checks