Page History

...

Use only signed char and unsigned char types for the storage and use of numeric values because it is the only portable way to guarantee the signedness of the character types . See (see STR00-C. Represent characters using an appropriate type for more information on representing characters).

Noncompliant Code Example

...

Code Block

bgColor	#ccccff
lang	c

unsigned char c = 200;
int i = 1000;
printf("i/c = %d\n", i/c);

Exceptions

INT07-C-EX1: void FIO34-C. Use int to capture the return value of character IO functions that might be used to check for end of file mentions that certain character IO functions return a value of type int. Despite being returned in an arithmetic type, the value is not actually numeric in nature, so it is acceptable to later store the result into a variable of type char.

...

This is a subtle error that results in a disturbingly broad range of potentially severe vulnerabilities. At the very least, this error can lead to unexpected numerical results on different platforms. Unexpected arithmetic values when applied to arrays or pointers can yield buffer overflows or other invalid memory access.

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
INT07-C	Medium	Probable	Medium	P8	L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

Supported indirectly via MISRA C:2012 rules 10.1, 10.3 and 10.4.

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-INT07

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

LANG.TYPE.IOT

Inappropriate operand type

Compass/ROSE

Can detect violations of this recommendation. In particular, it flags any instance of a variable of type char (without a signed or unsigned qualifier) that appears in an arithmetic expression

ECLAIR

Include Page

	ECLAIR_V
	ECLAIR_V

CC2.INT07

Fully implemented

Fortify SCA

5.0

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C1292, C1293, C4401, C4421, C4431, C4441, C4451

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

PORTING.SIGNED.CHAR

Can detect violations of this recommendation with the CERT C Rule Pack

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

93 S

, 96 S, 101 S, 329 S

, 432 S

, 458 S

Fully implemented

Splint

Parasoft C/C++test

Include Page

Splint

	Parasoft_V

Splint

	Parasoft_V

PRQA QA-C Include PagePRQA_VPRQA_V

3711
3722
3733
3744
3755
3766
3777
3788
3850
3863
3911
3922
3933
3944
3955
3966
3977
3988
4050
4063

CERT_C-INT07-a
CERT_C-INT07-b

The plain char type shall be used only for the storage and use of character values
signed and unsigned char type shall be used only for the storage and use of numeric values

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

9112

Fully supported

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. INT07-C

Checks for use of plain char type for numeric value (rec. fully covered)

Splint

Include Page

	Splint_V
	Splint_V

RuleChecker

Include Page

	RuleChecker_V
	RuleChecker_V

Supported indirectly via MISRA C:2012 rules 10.1, 10.3 and 10.4.

SonarQube C/C++ Plugin

Include Page

	SonarQube C/C++ Plugin_V
	SonarQube C/C++ Plugin_V

S820

Partially implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++

Secure

Coding Standard	VOID INT07-CPP. Use only explicitly signed or unsigned char type for numeric values
ISO/IEC TR 24772:2013	Bit Representations [STR]
MISRA C:2012	Rule 10.1 (required) Rule 10.3 (required) Rule 10.4 (required)
MITRE CWE	CWE-682, Incorrect calculation

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 78

New Version Current

Key

Noncompliant Code Example

Exceptions

Automated Detection

Related Vulnerabilities

Related Guidelines