Enumerations in C++ come in two forms: scoped enumerations in which the underlying type is fixed and unscoped enumerations in which the underlying type may or may not be fixed. The range of values that can be represented by either form of enumeration may include enumerator values not specified by the enumeration itself. The range of valid enumeration values for an enumeration type is defined by the C++ Standard, [dcl.enum], in paragraph 8 [ISO/IEC 14882-20142020]:
For an enumeration whose underlying type is fixed, the values of the enumeration are the values of the underlying the underlying type. Otherwise, for an enumeration where emin is the smallest enumerator and emax is the largest, the values of the enumeration are the values in the range bmin to bmax, defined as follows: Let K be
1
for a two’s complement representation and0
for a one’s complement or sign-magnitude representation. bmax is the smallest value greater than or equal to max(|emin| − K, |emax|) and equal to 2M − 1, where M is a non-negative integer. bmin is zero if emin is non-negative and −(bmax + K) otherwise. The size of the representable by a hypothetical integer type with minimal width M such that all enumerators can be represented. The width of the smallest bit-field large enough to hold all the values of the enumeration type is max(M, 1) if bmin is zero and M + 1 otherwise. It is possible to define an enumeration that has values not defined by any of its enumeratorsits enumerators. If the enumerator-list is empty, the values of the enumeration are as if the enumeration had a single a single enumerator with value 0.
According to the The C++ Standard, [expr.static.cast], paragraph 10, states the following:
A value of integral or enumeration type can be explicitly converted to an enumeration type. The value is unchanged converted to a complete enumeration type. If the enumeration type has a fixed underlying type, the value is first converted to that type by integral conversion, if necessary, and then to the enumeration type. If the enumeration type does not have a fixed underlying type, the value is unchanged if the original value is within the range of the enumeration values (9.7.2). Otherwise1), and otherwise, the resulting value is unspecified (and might not be in that range)behavior is undefined. A value of floating-point type can also be explicitly converted explicitly converted to an enumeration type. The resulting value is the same as converting the original value to the underlying the underlying type of the enumeration (47.3.910), and subsequently to the enumeration type.
To avoid operating on unspecified values, the arithmetic value being cast must be within the range of values the enumeration can represent. When dynamically checking for out-of-range values, checking must be performed before the cast expression.
...
This compliant solution uses a scoped enumeration, which has a fixed underlying int
type of type int
by default, allowing any value from the parameter to be converted into a valid enumeration value. It does not restrict the converted value to one for which there is a specific enumerator value, but it could do so as shown in the previous compliant solution.
...
Similar to the previous compliant solution, this compliant solution uses an unscoped enumeration but provides a fixed underlying int
type of type int
, allowing any value from the parameter to be converted to a valid enumeration value:.
Code Block | ||||
---|---|---|---|---|
| ||||
enum EnumType : int { First, Second, Third }; void f(int intVar) { EnumType enumVar = static_cast<EnumType>(intVar); } |
...
It is possible for unspecified values to result in a buffer overflow, leading to the execution of arbitrary code by an attacker. However, because enumerators are rarely used for indexing into arrays or other forms of pointer arithmetic, it is more likely that this scenario will result in data integrity violations rather than arbitrary code execution.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT50-CPP | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| cast-integer-to-enum | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC++-INT50 | |||||||
CodeSonar |
| LANG.CAST.COERCE LANG.CAST.VALUE | Coercion Alters Value Cast Alters Value | ||||||
Helix QAC |
| C++3013 | |||||||
Parasoft C/C++test |
| CERT_CPP-INT50-a | An expression with enum underlying type shall only have values corresponding to the enumerators of the enumeration | ||||||
PVS-Studio |
| V1016 | |||||||
RuleChecker |
| cast-integer-to-enum | Partially checked | ||||||
Polyspace Bug Finder |
| CERT C++: INT50-CPP | Checks for casting to out-of-range enumeration value (rule fully covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
[Becker 2009] | Section 7.2, "Enumeration Declarations" |
[ISO/IEC 14882- |
2020] | Subclause 5.2.9, "Static Cast" |
...
...