Integer types smaller than int are promoted when an operation is performed on them. If all values of the original type can be represented as an int, the value of the smaller type is converted to an int; otherwise, it is converted to an unsigned int (see INT02-C. Understand integer conversion rules). If the conversion is to a wider type, the original value is zero-extended for unsigned values or zero-extended for signed types. Arithmetic operations performed on ints yield the same values as on chars and shorts (at least in the low-order bits). However, bitwise operations may have unexpected results.
Noncompliant Code Example
This noncompliant code example demonstrates how performing bitwise operations on integer types smaller than int may have unexpected results.
uint8_t port = 0x5aU; uint8_t result_8 = ( ~port ) >> 4;
In this example, port is negated, and shifted 4 bits to the right. If these operations were performed on a 8-bit integer, then result_8 would have the value 0x0aU. However, port will first be promoted to a 32-bit integer (signed or unsigned, depending on implementation), with the following results:
|
|
|
|
|
|
|
|
Compliant Solution
In this compliant solution, we truncate the negation back down to 8 bits. Consequently, result_8 receives the expected value of 0x0aU.
uint8_t port = 0x5aU; uint8_t result_8 = (uint8_t) (~port) >> 4;
Risk Assessment
Bitwise operations on shorts and chars can produce incorrect data.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
EXP14-C |
low |
likely |
high |
P3 |
L3 |
Automated Detection
Tool |
Version |
Checker |
Description |
|---|---|---|---|
Compass/ROSE |
|
|
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: EXP15-CPP. Beware of integer promotion when performing bitwise operations on chars or shorts
MISRA Rule 10.5