CWE Rule 194
Description
Rule Description
The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
Polyspace Implementation
The rule checker checks for these issues:
Sign change integer conversion overflow
Tainted sign change conversion
Examples
Sign change integer conversion overflow
This issue occurs when converting an unsigned integer to a signed integer. If the variable does not have enough bytes to represent both the original constant and the sign bit, the conversion overflows.
The exact storage allocation for different floating point types depends on your
processor. See Target processor type (-target)
.
The fix depends on the root cause of the defect. Often the result details (or source code tooltips in Polyspace as You Code) show a sequence of events that led to the defect. You can implement the fix on any event in the sequence. If the result details do not show this event history, you can search for previous references of variables relevant to the defect using right-click options in the source code and find related events. See also Interpret Bug Finder Results in Polyspace Desktop User Interface or Interpret Bug Finder Results in Polyspace Access Web Interface (Polyspace Access).
See examples of fixes below.
If you do not want to fix the issue, add comments to your result or code to avoid another review. See:
Address Results in Polyspace User Interface Through Bug Fixes or Justifications if you review results in the Polyspace user interface.
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser.
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE.
A default Bug Finder analysis might not raise this defect when the input values are unknown and only a subset of inputs cause an issue. To check for defects caused by specific system input values, run a stricter Bug Finder analysis. See Extend Bug Finder Checkers to Find Defects from Specific System Input Values.
char sign_change(void) { unsigned char count = 255; return (char)count; //Noncompliant }
In the return statement, the unsigned character
variable count
is converted to a signed character.
However, char
has 8 bits, 1 for the sign of the
constant and 7 to represent the number. The conversion operation overflows
because 255 uses 8 bits.
One possible correction is using a larger integer
type. By using an int
, there are enough bits to
represent the sign and the number value.
int sign_change(void) { unsigned char count = 255; return (int)count; }
Tainted sign change conversion
This issue occurs when values from unsecure sources are converted, implicitly or explicitly, from signed to unsigned values.
For example, functions that use size_t
as arguments implicitly convert the argument to an unsigned integer. Some functions that implicitly convert size_t
are:
bcmp memcpy memmove strncmp strncpy calloc malloc memalign
If you convert a small negative number to unsigned, the result is a large positive number. The large positive number can create security vulnerabilities. For example, if you use the unsigned value in:
Memory size routines — causes allocating memory issues.
String manipulation routines — causes buffer overflow.
Loop boundaries — causes infinite loops.
To avoid converting unsigned negative values, check that the value being converted is within an acceptable range. For example, if the value represents a size, validate that the value is not negative and less than the maximum value size.
By default, Polyspace® assumes that data from external sources are tainted. See Sources of Tainting in a Polyspace Analysis. To consider
any data that does not originate in the current scope of Polyspace analysis as
tainted, use the command line option -consider-analysis-perimeter-as-trust-boundary
.
#include <stdlib.h> #include <string.h> #include <stdio.h> enum { SIZE10 = 10, SIZE100 = 100, SIZE128 = 128 }; void bug_taintedsignchange(void) { int size; scanf("%d",&size); char str[SIZE128] = ""; if (size<SIZE128) { memset(str, 'c', size); //Noncompliant } }
In this example, a char
buffer is created
and filled using memset
. The size argument to memset
is
an input argument to the function.
The call to memset
implicitly converts size
to
unsigned integer. If size
is a large negative number,
the absolute value could be too large to represent as an integer,
causing a buffer overflow.
size
One possible correction is to check if size
is
inside the valid range. This correction checks if size
is
greater than zero and less than the buffer size before calling memset
.
#include <stdlib.h> #include <string.h> #include <stdio.h> enum { SIZE10 = 10, SIZE100 = 100, SIZE128 = 128 }; void corrected_taintedsignchange(void) { int size; scanf("%d",&size); char str[SIZE128] = ""; if (size>0 && size<SIZE128) { memset(str, 'c', size); } }
Check Information
Category: Others |
Version History
Introduced in R2023a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Select a Web Site
Choose a web site to get translated content where available and see local events and offers. Based on your location, we recommend that you select: .
You can also select a web site from the following list
How to Get Best Site Performance
Select the China site (in Chinese or English) for best site performance. Other MathWorks country sites are not optimized for visits from your location.
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)
Asia Pacific
- Australia (English)
- India (English)
- New Zealand (English)
- 中国
- 日本Japanese (日本語)
- 한국Korean (한국어)