...
For saturation semantics, assume that the mathematical result of the computation is result
. The value actually returned to the user is set out in the following table:
Range of Mathematical Result | Result Returned |
---|---|
|
|
|
|
|
|
Modwrap Semantics
In modwrap semantics (also called modulo arithmetic), integer values "wrap round." That is, adding 1 to MAX
produces MIN
. This is the defined behavior for unsigned integers in the C Standard, subclause 6.2.5, paragraph 9. It is frequently the behavior of signed integers, as well. However, it is more sensible in many applications to use saturation semantics instead of modwrap semantics. For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow rather than to suddenly become a very small value.
...
Out-of-range integer values can result in reading from or writing to arbitrary memory locations and the execution of arbitrary code.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT08-C | Medium | Probable | High | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||
---|---|---|---|---|---|---|---|
Astrée |
|
integer-overflow | Fully checked | ||||||||
Axivion Bauhaus Suite |
| CertC-INT08 | |||||||
CodeSonar |
| ALLOC.SIZE.ADDOFLOW ALLOC.SIZE.IOFLOW ALLOC.SIZE.MULOFLOW ALLOC.SIZE.SUBUFLOW MISC.MEM.SIZE.ADDOFLOW MISC.MEM.SIZE.BAD MISC.MEM.SIZE.MULOFLOW MISC.MEM.SIZE.SUBUFLOW | Addition Overflow of Allocation Size Integer Overflow of Allocation Size Multiplication Overflow of Allocation Size Subtraction Underflow of Allocation Size Addition Overflow of Size Unreasonable Size Argument Multiplication Overflow of Size Subtraction Underflow of Size | ||||||
Compass/ROSE |
Could detect violations of this recommendation by flagging any comparison expression involving addition that could potentially overflow. For example, instead of comparing | |||||||||
Helix QAC |
| C2800, C2910 DF2801, DF2802, DF2803, DF2911, DF2912, DF2913 | |||||||
LDRA tool suite |
| 488 S, 493 S, 493 S | Partially implemented |
Overflow from operation between integers
2800,2801,2802,2803,
2910,2911,2912,2913
Parasoft C/C++test |
| CERT_C-INT08-a CERT_C-INT08-b CERT_C-INT08-c CERT_C-INT08-d | Avoid data loss when converting between integer types | ||||||
PC-lint Plus |
| 648, 650, 679, 680, 776, | Partially supported | ||||||
Polyspace Bug Finder |
| CERT C: Rec. INT08-C | Checks for integer overflow or integer constant overflow (rec. fully covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | VOID INT08-CPP. Verify that all integer values are in range |
ISO/IEC TR 24772:2013 | Numeric Conversion Errors [FLC] |
Bibliography
...
...