SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 37 Next »

If a floating point value is to be demoted to a floating point value of a smaller range and precision, it must be ensured that this value is representable by the demoted type.

From 6.3.1.5 of the C99 standard [[ISO/IEC 9899-1999]]:

When a double is demoted to float or a long double is demoted to double or float...if the value being converted is outside the range of values that can be represented, the behavior is undefined.

Therefore, implementations that do not allow for the representation of all numbers, conversions of too small of numbers (between zero and FLT_MIN) may result in undefined behavior.

This rule does not apply to floating point implementations that support signed infinity, such as IEEE 754, as all numbers are representable.

Non-Compliant Code Example

The following non-compliant code illustrates casts of values that may not be outside of the range of the demoted type. 

long double ld;
double d1;
double d2;
float f1;
float f2;

/* initializations */

f1 = (float)d1;
f2 = (float)ld;
d2 = (double)ld;

As a result of these conversions, it is possible that d1 is outside the range of values that can be represented by a float or that ld is outside the range of values that can be represented as either a float or a double. If this is the case, the result is undefined.

Compliant Solution

This compliant solution properly checks to see whether the values to be stored can be represented in the new type.

#include <float.h>

long double ld;
double d1;
double d2;
float f1;
float f2;

/* initializations */

if (d1 > FLT_MAX || d1 < -FLT_MAX) {
  	/* Handle error condition */
} else {
 	f1 = (float)d1;
}
if (ld > FLT_MAX || ld < -FLT_MAX) {
	/* Handle error condition */
} else {
	f2 = (float)ld;
}
if (ld > DBL_MAX || ld < -DBL_MAX) {
	/* Handle error condition */
} else {
	d2 = (double)ld;
}

Risk Analysis

Failing to check that a floating point value fits within a demoted type can result in a value too large to be represented by the new type, resulting in undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FLP34-C

low

unlikely

low

P3

L3

Automated Detection

Fortify SCA Version 5.0 with CERT C Rule Pack can detect violations of this rule.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 6.3.1.5, "Real floating types"
[[IEEE 754]] IEEE 754-1985 Standard for Binary Floating-Point Arithmetic

FLP33-C. Convert integers to floating point for floating point operations      05. Floating Point (FLP)       06. Arrays (ARR)

  • No labels