Signed integer overflow is undefined behavior 36. Consequently, implementations have considerable latitude in how they deal with signed integer overflow. (See MSC15-C. Do not depend on undefined behavior.) An implementation that defines signed integer types as being modulo, for example, need not detect integer overflow. Implementations may also trap on signed arithmetic overflows, or simply assume that overflows will never happen and generate object code accordingly. It is also possible for the same conforming implementation to emit code that exhibits different behavior in different contexts. For example, an implementation may determine that a signed integer loop control variable declared in a local scope cannot overflow and may emit efficient code on the basis of that determination, while the same implementation may determine that a global variable used in a similar context will wrap.
For these reasons, it is important to ensure that operations on signed integers do not result in overflow. Of particular importance are operations on signed integer values that originate from a tainted source and are used as
- Integer operands of any pointer arithmetic, including array indexing
- The assignment expression for the declaration of a variable length array
- The postfix expression preceding square brackets
[]
or the expression in square brackets[]
of a subscripted designation of an element of an array object - Function arguments of type
size_t
orrsize_t
(for example, an argument to a memory allocation function)
Integer operations will overflow if the resulting value cannot be represented by the underlying representation of the integer. The following table indicates which operations can result in overflow.
Operator | Overflow | Operator | Overflow | Operator | Overflow | Operator | Overflow |
---|---|---|---|---|---|---|---|
| Yes |
| Yes |
| Yes |
| No |
| Yes |
| Yes |
| No |
| No |
| Yes |
| Yes |
| No |
| No |
| Yes |
| Yes |
| No |
| No |
| Yes |
| Yes |
| No |
| No |
| Yes |
| No |
| No |
| No |
| Yes |
| No |
| No |
| No |
| No |
| No |
| No |
| No |
| Yes |
| No |
| Yes |
| No |
The following sections examine specific operations that are susceptible to integer overflow. When operating on integer types with less precision than int
, integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Programmers should understand integer conversion rules before trying to implement secure arithmetic operations. (See INT02-C. Understand integer conversion rules.)
Implementation Details
GNU GCC invoked with the -fwrapv
command-line option defines the same modulo arithmetic for both unsigned and signed integers.
GNU GCC invoked with the -ftrapv
command-line option causes a trap to be generated when a signed integer overflows, which will most likely abnormally exit. On a UNIX system, the result of such an event may be a signal sent to the process.
GNU GCC invoked without either the -fwrapv
or the -ftrapv
option may simply assume that signed integers never overflow and may generate object code accordingly.
Atomic Integers
The C Standard defines the behavior of arithmetic on atomic signed integer types to use two's complement representation with silent wraparound on overflow; there are no undefined results. Although defined, these results may be unexpected and therefore carry similar risks to unsigned integer wrapping. (See INT30-C. Ensure that unsigned integer operations do not wrap.) Consequently, signed integer overflow of atomic integer types should also be prevented or detected.
Addition
Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type. This rule applies only to addition between two operands of arithmetic type. (See ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR30-C. Do not form or use out-of-bounds pointers or array subscripts.)
Incrementing is equivalent to adding 1.
Noncompliant Code Example
This noncompliant code example can result in a signed integer overflow during the addition of the signed operands si_a
and si_b
:
Compliant Solution
This compliant solution ensures that the addition operation cannot overflow, regardless of representation:
Subtraction
Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or a pointer to an object type and an integer type. This rule applies only to subtraction between two operands of arithmetic type. (See ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR30-C. Do not form or use out-of-bounds pointers or array subscripts for information about pointer subtraction.)
Decrementing is equivalent to subtracting 1.
Noncompliant Code Example
This noncompliant code example can result in a signed integer overflow during the subtraction of the signed operands si_a
and si_b
:
Compliant Solution
This compliant solution tests the operands of the subtraction to guarantee there is no possibility of signed overflow, regardless of representation:
Multiplication
Multiplication is between two operands of arithmetic type.
Noncompliant Code Example
This noncompliant code example can result in a signed integer overflow during the multiplication of the signed operands si_a
and si_b
:
Compliant Solution
The product of two operands can always be represented using twice the number of bits than exist in the precision of the larger of the two operands. This compliant solution eliminates signed overflow on systems where long long
is at least twice the precision of int
:
The assertion fails if long long
has less than twice the precision of int
. The PRECISION()
macro and popcount()
function provide the correct precision for any integer type. (See INT35-C. Use correct integer precisions.)
Compliant Solution
The following portable compliant solution can be used with any conforming implementation, including those that do not have an integer type that is at least twice the precision of int
:
Division
Division is between two operands of arithmetic type. Overflow can occur during two's complement signed integer division when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1
. Division operations are also susceptible to divide-by-zero errors. (See INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors.)
Noncompliant Code Example
This noncompliant code example prevents divide-by-zero errors in compliance with INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors but does not prevent a signed integer overflow error in two's-complement.
Implementation Details
On the x86-32 architecture, overflow results in a fault, which can be exploited as a denial-of-service attack.
Compliant Solution
This compliant solution eliminates the possibility of divide-by-zero errors or signed overflow:
Remainder
The remainder operator provides the remainder when two operands of integer type are divided. Because many platforms implement remainder and division in the same instruction, the remainder operator is also susceptible to arithmetic overflow and division by zero. (See INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors.)
Noncompliant Code Example
Many hardware architectures implement remainder as part of the division operator, which can overflow. Overflow can occur during a remainder operation when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1. It occurs even though the result of such a remainder operation is mathematically 0. This noncompliant code example prevents divide-by-zero errors in compliance with INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors but does not prevent integer overflow:
Implementation Details
On x86-32 platforms, the remainder operator for signed integers is implemented by the idiv
instruction code, along with the divide operator. Because LONG_MIN / −1
overflows, it results in a software exception with LONG_MIN % −1
as well.
Compliant Solution
This compliant solution also tests the remainder operands to guarantee there is no possibility of an overflow:
Left-Shift Operator
The left-shift operator takes two integer operands. The result of E1 << E2
is E1
left-shifted E2
bit positions; vacated bits are filled with zeros.
The C Standard, 6.5.7, paragraph 4 [ISO/IEC 9899:2011], states
If
E1
has a signed type and nonnegative value, andE1 × 2^{E2}
is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined.
In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a logic error. These issues are covered by INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.
Noncompliant Code Example
This noncompliant code example performs a left shift, after verifying that the number being shifted is not negative, and the number of bits to shift is valid. The PRECISION()
macro and popcount()
function provide the correct precision for any integer type. (See INT35-C. Use correct integer precisions.) However, because this code does no overflow check, it can result in an unrepresentable value.
Compliant Solution
This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:
Unary Negation
The unary negation operator takes an operand of arithmetic type. Overflow can occur during two's complement unary negation when the operand is equal to the minimum (negative) value for the signed integer type.
Noncompliant Code Example
This noncompliant code example can result in a signed integer overflow during the unary negation of the signed operand s_a
:
Compliant Solution
This compliant solution tests the negation operation to guarantee there is no possibility of signed overflow:
Risk Assessment
Integer overflow can lead to buffer overflows and the execution of arbitrary code by an attacker.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT32-C | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
CodeSonar | 4.4 | ALLOC.SIZE.ADDOFLOW | Addition overflow of allocation size |
Coverity | 2017.07 | TAINTED_SCALAR BAD_SHIFT | Implemented |
LDRA tool suite | 9.5.6 | 493 S, 494 S | Partially implemented |
Polyspace Bug Finder | R2016a | Overflow from operation between integers Division | |
PRQA QA-C | 9.3 | 2800, 2801, 2802, 2803,2860,2861,2862,2863 | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
[Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223) |
[ISO/IEC 9899:2011] | Subclause 6.5.5, "Multiplicative Operators" |
[Seacord 2013b] | Chapter 5, "Integer Security" |
[Viega 2005] | Section 5.2.7, "Integer Overflow" |
[Warren 2002] | Chapter 2, "Basics" |
23 Comments
Dave Aronson
The compliant solution for unsigned int addition is rather unclear. Is something wrong with "if (UINT_MAX - ui1 > ui2)"?
No general compliant solution for signed subtraction?
Re the general compliant solution for signed multiplication, all that nesting is rather messy, in ways that a temp var or two could help clear up. How about this:
The main problem that I think may be lurking in the above, is the truncation semantics of division yielding a negative quotient, in which case limit may have to be incremented or decremented. I have to think on that a bit more, but this should at least serve as a clearer starting point.
Robert Seacord
The following program ran to completion using Microsoft Visual Studio 2005 Version 8.0.50727.42 and run on an IA-32 Windows XP box:
The program took a while to run, but only output "done."
Douglas A. Gwyn
In the ~uil example, some other rule ought to be violated (something like "don't unnecessarily embed platform dependencies"). Also, if one form is faster than the other, talk to your compiler vendor, because if they are truly equivalent tests then optimization should occur.
Robert Seacord
The ~uil example always seems to draw criticism, so I have removed it to MSC14-C. Do not introduce unnecessary platform dependencies and give it as a non-compliant coding example. Please have a look at this new recommendation, if you have a chance.
David Svoboda
This rule may be technically correct, but it throws too heavy a burden on any programmer doing any math; even something as simple as
x++
.For instance, DCL06-A has example code that computes the quadratic formula:
Concise and elegant, but this completely ignores overflow possibilities. This code can be done mostly with ints, just excepting the
sqrt()
function and divide operator.This rule basically requires an if statement with a complex boolean expression and a 'handle-overflow' clause for every math operation. So securing this 1-line formula would mutate it into a 30-line quagmire of if statements. The overhead of checking for overflow would completely obscure the original formula in the code.
The ideal way to handle this would be with exceptions. In Java one could just say:
Does C99 (or POSIX) provide any exception mechanism for integer overflow? Can we, for instance, do the math, and then check
errno
?And on top of that, the table omits the – operator!
Robert Seacord
Subtraction is in the table, as well as unary negation.
C99 provides no mechanism for checking integer overflow. Signed integer overflow is undefined behavior and unsigned integer arithmetic is modulo.
However, this rule does not apply to: (-b + sqrt(b*b - 4*a*c)) / (2*a);
It only applies to integer values used in any of the the following ways:
The security-critical code is sort of a catch-all, but it doesn't catch quadratic formulas.
David Svoboda
Grr...the wiki doesn't show that by – I was referring to the decrement operator (post- or pre-), not unary minus or subtraction.
I think the rule does apply to quadratic formulas, or at least, it should. If my q.f. generates the wrong result, that is an unexpected arithmetic value, even if I don't use it for an array index. The steps I would need to take to know if my q.f. gave me the right answer are the same steps you need to take to ensure your array index is correct.
The only real difference (well, besides the fact my q.f. will involve floats) is that the math involved in array indices, pointer arithmetic, etc. is usually simpler than a q.f.
Hm. There IS one other difference, and it may be crucial. You can do a q.f. on any integers (or floats). But array indices, as well as your other domains, are generally used within pre-specified domains...eg. within your static array, whose length is specified at compile time in a declaration, or at run-time with a malloc() call.
I suppose this rule's domain (eg memory-related math), the math is simpler and more optimize-able than general math like my q.f.
Robert Seacord (Manager)
I'm thinking of separating out unsigned again into a "avoid wrapping" rule or possibly recommendation.
What do people think?
Hallvard Furuseth
Haven't kept track of separating or not unsigned/signed, but one nitpick: "avoid wrapping" sounds wrong. If you mean it about unsigned, well-defined wrapping is one reason to use unsigned in the first place. About signed it's right, though one can't depend on wrapping anyway so it's better to make it a case of "don't invoke undefined behavior except when the implementation you write for defines it".
Hallvard Furuseth
I think the table about overflow/not overflow is misleading, I'd split it in arithmetic, bit, assignment, and conditional operations:
The two's complement add/subtract solutions are broken:
The general compliant addition/subtraction solutions are unnecessarily big. Look at what you need to catch and reduce it a bit:
Similar for addition.
Another trick when you know both values are nonnegative (which is a common case) is to convert to unsigned, then operations are well-defined so you can test for overflow afterwards:
The general compliant multiplication solution can be reduced by first swapping si1 and si2 if si1 > si2, or something like that. And as big as it is, it looks like a good case for doing
The division and modulo tests are not quite right - the point is not that LONG_MIN is a problem, but that a value < -LONG_MAX, if that can exist, is a problem. Also you never need to do 3 tests:
The same goes for unary negation - check if si1 < -INT_MAX. Possibly this also affects the multiplication solution, but I got tired just looking at that.
Hallvard Furuseth
For multiplication, this should be equivalent:
It helps to play around a bit with code like that
However one problem with this code is that it will compile but break on C90 implementations which can round away from zero if an operand is negative. Many implementations support part of but not all C99, so it's probably best to catch it. Either expand the test to handle that (just the thought makes me tired or add something to ensure the program will not compile if it makes wrong assumptions about the implementation:
Robert Seacord
http://wiki.dinkumware.com/twiki/bin/view/WG14/CriticalUndefinedBehavior
states
INT_MIN % -1 is well-defined in the present standard to have value 0 without trapping, but lots of implementations get wrong.
Robert Seacord
Also from the autoconf manual:
On CPUs of the i386 family, dividing INT_MIN by -1 yields a SIGFPE signal which by default terminates the program. Worse, taking the remainder of these two values typically yields the same signal on these CPUs, even though the C standard requires INT_MIN % -1 to yield zero because the expression does not overflow.
David Svoboda
Added details about what INT_MIN % -1 does on various platforms.
I would assert that the standard is not clear on this point. According to C99, section 6.5.5, paragraph 6:
But, as noted above, INT_MIN/-1 is not representable (as a signed int); therefore one can argue that INT_MIN % -1 is undefined according to the standard.
Robert Seacord
Because the result of the INT_MIN % -1 operation is representable, I think the standard requires that the operation not overflow.
Aaron Ballman
C11 modified the wording slightly:
The key part, to me, is "if the quotient a/b is representable...otherwise, the behavior of both a/b and a%b is undefined."
Since INT_MIN/-1 is not representable, I believe INT_MIN % -1 is undefined as well, regardless of whether the result is representable.
Robert Seacord
Yes, that's right. We actually participated in this discussion in WG14. INT_MIN % -1 is explicitly undefined behavior in C11.
Tim Wilson
Do we know of machines on which the two's complement solutions run faster than the general solutions? I just tested both solutions for signed addition on the andrew linux machines and found the two's complement solution was about 50% slower.
Robert Seacord (Manager)
I've mostly reviewed this rule. I'm just wondering if it is ok to call the UWIDTH() macro on an unsigned integer type to get the width of a signed integer type.
Masaki Kubo
Under "Atomic Inetgers", it says "The C Standard defines the behavior of arithmetic on atomic signed integer types to use two's complement representation with silent wraparound on overflow."
I'm curious to know where in the standard I can find it.
Robert Seacord
There is this from subclause 7.17.7.5 paragraph 3:
ntysdd
I believe this is wrong or inaccurate.
Maybe gcc will yield the answer 0 at compile time, but I don't think it will do that at run time, because that means it will be force to insert extra branch instructions at every remainder operation if it can't rule out the possibility.
Robert Seacord
I agree; that was probably the result of constant folding. I removed everything from the implementation dependent section except the description of x86.