Integer operations must result in an integer value within the range of the integer type (that is, the resulting value is the same as the result produced by unlimited-range integers). Frequently, the range is more restrictive depending on the use of the integer value, for example, as an index. Integer values can be verified by code review or by static analysis.
Integer overflow is undefined behavior, so a compiled program can do anything, including going go off to play the Game of Life. Furthermore, a compiler may perform optimizations that assume an overflow will never occur, which can easily yield unexpected results. Compilers can optimize away if
statements that check whether an overflow occurred. See MSC15-C. Do not depend on undefined behavior for an example.
Verifiably in-range operations are often preferable to treating out-of-range values as an error condition because the handling of these errors has been repeatedly shown to cause denial-of-service problems in actual applications. The quintessential example is the failure of the Ariane 5 launcher, which occurred because of an improperly handled conversion error that resulted in the processor being shut down [Lions 1996].
...
The saturation and modwrap algorithms and the technique of restricted range usage, defined in the following subsections, produce integer results that are always within a defined range. This range is between the integer values MIN
and MAX
(inclusive), where MIN
and MAX
are two representable integers with MIN < MAX
.
Saturation Semantics
For saturation semantics, assume that the mathematical result of the computation is result
. The value actually returned to the user is set out in the following table:
Range of Mathematical Result | Result Returned |
---|---|
|
|
|
|
|
|
Modwrap Semantics
In modwrap semantics (also called modulo arithmetic), integer values "wrap round." That is, adding 1 to MAX
produces MIN
. This is the defined behavior for unsigned integers in the C Standard [ISO/IEC 9899:2011], Section , subclause 6.2.5, paragraph 9. It is frequently the behavior of signed integers, as well. However, it is more sensible in many applications to use saturation semantics instead of modwrap semantics. For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow rather than to suddenly becoming become a very small value.
Restricted Range Usage
Another technique for avoiding integer overflow is to use only half the range of signed integers. For example, when using an int
, use only the range [INT_MIN/2
, INT_MAX/2
]. This practice has been a trick of the trade in Fortran for some time, and now that optimizing C compilers are more sophisticated, it can be valuable in C.
...
Now, if the user types a < b
, there is often an implicit subtraction happeningoften occurs. On a machine without condition codes, the compiler may simply issue a subtract instruction and check whether the result is negative. This behavior is allowed because the compiler is allowed to assume there is no overflow. If all explicitly user-generated values are kept in the range [INT_MIN/2, INT_MAX/2]
, then comparisons will always work even if the compiler performs this optimization on such hardware.
...
In this noncompliant example, i + 1
will overflow on a 16-bit machine. The C standard Standard allows signed integers to overflow and produce incorrect results. Compilers can take advantage of this to produce faster code by assuming an overflow will not occur. As a result, the if
statement that is intended to catch an overflow might be optimized away.
Code Block | ||||
---|---|---|---|---|
| ||||
int i = /* Expression that evaluates to the value 32767 */; /* ... */ if (i + 1 <= i) { /* handleHandle overflow */ } /* expressionExpression involving i + 1 */ |
Compliant Solution
Using a long
instead of an int
is guaranteed to accommodate the computed value.:
Code Block | ||||
---|---|---|---|---|
| ||||
long i = /* Expression that evaluates to the value 32767 */; /* ... */ /* No test is necessary; i is known not to overflow. */ /* expressionExpression involving i + 1 */ |
Risk Assessment
Out-of-range integer values can result in reading from or writing to arbitrary memory locations and the execution of arbitrary code.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT08-C |
Medium |
Probable |
High | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| integer-overflow | Fully checked | ||||||
Axivion Bauhaus Suite |
|
Compass/ROSE
| CertC-INT08 | ||||||||
CodeSonar |
| ALLOC.SIZE.ADDOFLOW ALLOC.SIZE.IOFLOW ALLOC.SIZE.MULOFLOW ALLOC.SIZE.SUBUFLOW MISC.MEM.SIZE.ADDOFLOW MISC.MEM.SIZE.BAD MISC.MEM.SIZE.MULOFLOW MISC.MEM.SIZE.SUBUFLOW | Addition Overflow of Allocation Size Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Subtraction Underflow of Allocation Size Addition Overflow of Size Unreasonable Size Argument Multiplication Overflow of Size Subtraction Underflow of Size | ||||||
Compass/ROSE |
Could detect violations of this recommendation by flagging any comparison expression involving addition that could potentially overflow. For example, instead of comparing | |||||||||
Helix QAC |
| C2800, C2910 DF2801, DF2802, DF2803, DF2911, DF2912, DF2913 | |||||||
LDRA tool suite |
| 488 S, 493 S, 493 S | Partially implemented |
0272 (I)
0273 (I)
Parasoft C/C++test |
| CERT_C-INT08-a CERT_C-INT08-b CERT_C-INT08-c CERT_C-INT08-d | Avoid data loss when converting between integer types | ||||||
PC-lint Plus |
| 648, 650, 679, 680, 776, | Partially supported | ||||||
Polyspace Bug Finder |
| CERT C: Rec. INT08-C | Checks for integer overflow or integer constant overflow (rec. fully covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | VOID INT08-CPP. Verify that all integer values are in range |
ISO/IEC TR 24772:2013 | Numeric |
Conversion Errors [FLC] |
Bibliography
...
...