CERT
Skip to end of metadata
Go to start of metadata

Signed integer overflow is undefined behavior 36. Consequently, implementations have considerable latitude in how they deal with signed integer overflow. (See MSC15-C. Do not depend on undefined behavior.) An implementation that defines signed integer types as being modulo, for example, need not detect integer overflow. Implementations may also trap on signed arithmetic overflows, or simply assume that overflows will never happen and generate object code accordingly.  It is also possible for the same conforming implementation to emit code that exhibits different behavior in different contexts. For example, an implementation may determine that a signed integer loop control variable declared in a local scope cannot overflow and may emit efficient code on the basis of that determination, while the same implementation may determine that a global variable used in a similar context will wrap.

For these reasons, it is important to ensure that operations on signed integers do not result in overflow. Of particular importance are operations on signed integer values that originate from a tainted source and are used as

  • Integer operands of any pointer arithmetic, including array indexing
  • The assignment expression for the declaration of a variable length array
  • The postfix expression preceding square brackets [] or the expression in square brackets [] of a subscripted designation of an element of an array object
  • Function arguments of type size_t or rsize_t (for example, an argument to a memory allocation function)

Integer operations will overflow if the resulting value cannot be represented by the underlying representation of the integer. The following table indicates which operations can result in overflow.

Operator

Overflow

Operator

Overflow

Operator

Overflow

Operator

Overflow

+

Yes

-=

Yes

<<

Yes

<

No

-

Yes

*=

Yes

>>

No

>

No

*

Yes

/=

Yes

&

No

>=

No

/

Yes

%=

Yes

|

No

<=

No

%

Yes

<<=

Yes

^

No

==

No

++

Yes

>>=

No

~

No

!=

No

--

Yes

&=

No

!

No

&&

No

=

No

|=

No

unary +

No

||

No

+=

Yes

^=

No

unary -

Yes

?:

No

The following sections examine specific operations that are susceptible to integer overflow. When operating on integer types with less precision than int, integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Programmers should understand integer conversion rules before trying to implement secure arithmetic operations. (See INT02-C. Understand integer conversion rules.)

Implementation Details

GNU GCC invoked with the -fwrapv command-line option defines the same modulo arithmetic for both unsigned and signed integers.

GNU GCC invoked with the -ftrapv command-line option causes a trap to be generated when a signed integer overflows, which will most likely abnormally exit. On a UNIX system, the result of such an event may be a signal sent to the process.

GNU GCC invoked without either the -fwrapv or the -ftrapv option may simply assume that signed integers never overflow and may generate object code accordingly.

Atomic Integers

The C Standard defines the behavior of arithmetic on atomic signed integer types to use two's complement representation with silent wraparound on overflow; there are no undefined results. Although defined, these results may be unexpected and therefore carry similar risks to unsigned integer wrapping. (See INT30-C. Ensure that unsigned integer operations do not wrap.) Consequently, signed integer overflow of atomic integer types should also be prevented or detected. 

 

 

Addition

Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type. This rule applies only to addition between two operands of arithmetic type. (See ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR30-C. Do not form or use out-of-bounds pointers or array subscripts.)

Incrementing is equivalent to adding 1.

Noncompliant Code Example

This noncompliant code example can result in a signed integer overflow during the addition of the signed operands si_a and si_b:

Compliant Solution

This compliant solution ensures that the addition operation cannot overflow, regardless of representation:

 

Subtraction

Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or a pointer to an object type and an integer type. This rule applies only to subtraction between two operands of arithmetic type. (See ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR30-C. Do not form or use out-of-bounds pointers or array subscripts for information about pointer subtraction.)

Decrementing is equivalent to subtracting 1.

Noncompliant Code Example

This noncompliant code example can result in a signed integer overflow during the subtraction of the signed operands si_a and si_b:

Compliant Solution

This compliant solution tests the operands of the subtraction to guarantee there is no possibility of signed overflow, regardless of representation:

 

Multiplication

Multiplication is between two operands of arithmetic type.

Noncompliant Code Example

This noncompliant code example can result in a signed integer overflow during the multiplication of the signed operands si_a and si_b:

Compliant Solution

The product of two operands can always be represented using twice the number of bits than exist in the precision of the larger of the two operands. This compliant solution eliminates signed overflow on systems where long long is at least twice the precision of int:

The assertion fails if long long has less than twice the precision of int. The  PRECISION() macro and popcount() function provide the correct precision for any integer type. (See INT35-C. Use correct integer precisions.)

Compliant Solution

The following portable compliant solution can be used with any conforming implementation, including those that do not have an integer type that is at least twice the precision of int:

 

Division

Division is between two operands of arithmetic type. Overflow can occur during two's complement signed integer division when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1. Division operations are also susceptible to divide-by-zero errors. (See INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors.)

Noncompliant Code Example

This noncompliant code example prevents divide-by-zero errors in compliance with  INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors but does not prevent a signed integer overflow error in two's-complement. 

Implementation Details

On the x86-32 architecture, overflow results in a fault, which can be exploited as a  denial-of-service attack.

Compliant Solution

This compliant solution eliminates the possibility of divide-by-zero errors or signed overflow:

Remainder

The remainder operator provides the remainder when two operands of integer type are divided. Because many platforms implement remainder and division in the same instruction, the remainder operator is also susceptible to arithmetic overflow and division by zero. (See INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors.)

Noncompliant Code Example

Many hardware architectures implement remainder as part of the division operator, which can overflow. Overflow can occur during a remainder operation when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to −1. It occurs even though the result of such a remainder operation is mathematically 0. This noncompliant code example prevents divide-by-zero errors in compliance with INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors but does not prevent integer overflow:

Implementation Details

On x86-32 platforms, the remainder operator for signed integers is implemented by the idiv instruction code, along with the divide operator. Because LONG_MIN / −1 overflows, it results in a software exception with LONG_MIN % −1 as well.

Compliant Solution

This compliant solution also tests the remainder operands to guarantee there is no possibility of an overflow:

 

Left-Shift Operator

The left-shift operator takes two integer operands. The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with zeros. 

The C Standard, 6.5.7, paragraph 4 [ISO/IEC 9899:2011], states

If E1 has a signed type and nonnegative value, and E1 × 2E2 is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined.

In almost every case, an attempt to shift by a negative number of bits or by more bits than exist in the operand indicates a logic error. These issues are covered by INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand.

Noncompliant Code Example

This noncompliant code example performs a left shift, after verifying that the number being shifted is not negative, and the number of bits to shift is valid.  The PRECISION() macro and popcount() function provide the correct precision for any integer type. (See INT35-C. Use correct integer precisions.) However, because this code does no overflow check, it can result in an unrepresentable value. 

Compliant Solution

This compliant solution eliminates the possibility of overflow resulting from a left-shift operation:

Unary Negation

The unary negation operator takes an operand of arithmetic type. Overflow can occur during two's complement unary negation when the operand is equal to the minimum (negative) value for the signed integer type.

Noncompliant Code Example

This noncompliant code example can result in a signed integer overflow during the unary negation of the signed operand s_a:

Compliant Solution

This compliant solution tests the negation operation to guarantee there is no possibility of signed overflow:

Risk Assessment

Integer overflow can lead to buffer overflows and the execution of arbitrary code by an attacker.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT32-C

High

Likely

High

P9

L2

Automated Detection

Tool

Version

Checker

Description

Astrée17.04i

integer-overflow

Fully checked
CodeSonar4.4

ALLOC.SIZE.ADDOFLOW
ALLOC.SIZE.IOFLOW
ALLOC.SIZE.MULOFLOW
ALLOC.SIZE.SUBUFLOW
MISC.MEM.SIZE.ADDOFLOW
MISC.MEM.SIZE.BAD
MISC.MEM.SIZE.MULOFLOW
MISC.MEM.SIZE.SUBUFLOW

Addition overflow of allocation size
Integer overflow of allocation size
Multiplication overflow of allocation size
Subtraction underflow of allocation size
Addition overflow of size
Unreasonable size argument
Multiplication overflow of size
Subtraction underflow of size

Coverity2017.07

TAINTED_SCALAR

BAD_SHIFT

Implemented
LDRA tool suite9.5.6

493 S, 494 S

Partially implemented
Polyspace Bug FinderR2016a

Integer overflow, Tainted division operand

Overflow from operation between integers

Division / operands from an unsecure source

PRQA QA-C9.3

2800, 2801, 2802, 2803,2860,2861,2862,2863

Fully implemented
RuleChecker17.04iinteger-overflowFully checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[Dowd 2006]Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223)
[ISO/IEC 9899:2011]Subclause 6.5.5, "Multiplicative Operators"
[Seacord 2013b]Chapter 5, "Integer Security"
[Viega 2005]Section 5.2.7, "Integer Overflow"
[Warren 2002]Chapter 2, "Basics"

 


23 Comments

  1. The compliant solution for unsigned int addition is rather unclear.  Is something wrong with "if (UINT_MAX - ui1 > ui2)"?

    No general compliant solution for signed subtraction?

    Re the general compliant solution for signed multiplication, all that nesting is rather messy, in ways that a temp var or two could help clear up.  How about this:

    The main problem that I think may be lurking in the above, is the truncation semantics of division yielding a negative quotient, in which case limit may have to be incremented or decremented.  I have to think on that a bit more, but this should at least serve as a clearer starting point.

  2. The following program ran to completion using Microsoft Visual Studio 2005 Version 8.0.50727.42 and run on an IA-32 Windows XP box:

    The program took a while to run, but only output "done."

  3. In the ~uil example, some other rule ought to be violated (something like "don't unnecessarily embed platform dependencies").  Also, if one form is faster than the other, talk to your compiler vendor, because if they are truly equivalent tests then optimization should occur.

    1. The ~uil example always seems to draw criticism, so I have removed it to MSC14-C. Do not introduce unnecessary platform dependencies and give it as a non-compliant coding example. Please have a look at this new recommendation, if you have a chance.

  4. This rule may be technically correct, but it throws too heavy a burden on any programmer doing any math; even something as simple as x++.

    For instance, DCL06-A has example code that computes the quadratic formula:

    Concise and elegant, but this completely ignores overflow possibilities. This code can be done mostly with ints, just excepting the sqrt() function and divide operator.

    This rule basically requires an if statement with a complex boolean expression and a 'handle-overflow' clause for every math operation. So securing this 1-line formula would mutate it into a 30-line quagmire of if statements. The overhead of checking for overflow would completely obscure the original formula in the code.

    The ideal way to handle this would be with exceptions. In Java one could just say:

    Does C99 (or POSIX) provide any exception mechanism for integer overflow? Can we, for instance, do the math, and then check errno?

    And on top of that, the table omits the – operator! (smile)

    1. Subtraction is in the table, as well as unary negation.

      C99 provides no mechanism for checking integer overflow. Signed integer overflow is undefined behavior and unsigned integer arithmetic is modulo.

      However, this rule does not apply to: (-b + sqrt(b*b - 4*a*c)) / (2*a);

      It only applies to integer values used in any of the the following ways:

      • as an array index
      • in any pointer arithmetic
      • as a length or size of an object
      • as the bound of an array (for example, a loop counter)
      • in security-critical code

      The security-critical code is sort of a catch-all, but it doesn't catch quadratic formulas.

      1. Grr...the wiki doesn't show that by – I was referring to the decrement operator (post- or pre-), not unary minus or subtraction. (sad)

        I think the rule does apply to quadratic formulas, or at least, it should. If my q.f. generates the wrong result, that is an unexpected arithmetic value, even if I don't use it for an array index. The steps I would need to take to know if my q.f. gave me the right answer are the same steps you need to take to ensure your array index is correct.

        The only real difference (well, besides the fact my q.f. will involve floats) is that the math involved in array indices, pointer arithmetic, etc. is usually simpler than a q.f.

        Hm. There IS one other difference, and it may be crucial. You can do a q.f. on any integers (or floats). But array indices, as well as your other domains, are generally used within pre-specified domains...eg. within your static array, whose length is specified at compile time in a declaration, or at run-time with a malloc() call.

        I suppose this rule's domain (eg memory-related math), the math is simpler and more optimize-able than general math like my q.f.

  5. I'm thinking of separating out unsigned again into a "avoid wrapping" rule or possibly recommendation.

    What do people think?

    1. Haven't kept track of separating or not unsigned/signed, but one nitpick: "avoid wrapping" sounds wrong.  If you mean it about unsigned, well-defined wrapping is one reason to use unsigned in the first place.  About signed it's right, though one can't depend on wrapping anyway so it's better to make it a case of "don't invoke undefined behavior except when the implementation you write for defines it".

  6. I think the table about overflow/not overflow is misleading, I'd split it in arithmetic, bit, assignment, and conditional operations:

    • All assignment operators can truncate.
    • Bit operations cannot overflow, but I believe they can produce a trap representation: With two's complement, INT_MIN-1 if INT_MIN == -INT_MAX. Other representations: negative zero if that is a trap representation.
    • Both << and >> have undefined behavior if the right operand is too large. Shifting a negative value (I think), or a positive value so it becomes negative, yields undefined behavior (C99 6.5.7p4). Remember that two's complement representation does not imply silent wraparound and so on, though it's a common combination.

    The two's complement add/subtract solutions are broken:

    • An int can have fewer than sizeof(int)*CHAR_BIT value bits: Some of the bits may be padding bits. Rare enough that one might "fix" code depending on no padding by refusing to compile if there is padding though. Note, this also breaks the "compliant" solutions for shifting. Googling for "site:securecoding.cert.org sizeof CHAR_BIT" found several other examples.
    • As mentioned, (1 << (sign bit number) is undefined. Just use ~INT_MAX, that's what the limits.h constants are for. Except that can also break:
    • Even for two's complement, INT_MIN may be -INT_MAX so ~INT_MAX can be a trap representation. An example has been mentioned once on comp.lang.c, though I think the reason was poor - the implementation not bother to implement printf("%d", -INT-MAX-1) or something.

    The general compliant addition/subtraction solutions are unnecessarily big. Look at what you need to catch and reduce it a bit:

    Similar for addition.

    Another trick when you know both values are nonnegative (which is a common case) is to convert to unsigned, then operations are well-defined so you can test for overflow afterwards:

    The general compliant multiplication solution can be reduced by first swapping si1 and si2 if si1 > si2, or something like that. And as big as it is, it looks like a good case for doing

    The division and modulo tests are not quite right - the point is not that LONG_MIN is a problem, but that a value < -LONG_MAX, if that can exist, is a problem. Also you never need to do 3 tests:

    The same goes for unary negation - check if si1 < -INT_MAX. Possibly this also affects the multiplication solution, but I got tired just looking at that.

    1. For multiplication, this should be equivalent:

       It helps to play around a bit with code like that(smile)

      However one problem with this code is that it will compile but break on C90 implementations which can round away from zero if an operand is negative.  Many implementations support part of but not all C99, so it's probably best to catch it.  Either expand the test to handle that (just the thought makes me tired(smile) or add something to ensure the program will not compile if it makes wrong assumptions about the implementation:

  7. http://wiki.dinkumware.com/twiki/bin/view/WG14/CriticalUndefinedBehavior

    states

    INT_MIN % -1 is well-defined in the present standard to have value 0 without trapping, but lots of implementations get wrong.

    1. Also from the autoconf manual:

      On CPUs of the i386 family, dividing INT_MIN by -1 yields a SIGFPE signal which by default terminates the program. Worse, taking the remainder of these two values typically yields the same signal on these CPUs, even though the C standard requires INT_MIN % -1 to yield zero because the expression does not overflow.

    2. Added details about what INT_MIN % -1 does on various platforms.

      I would assert that the standard is not clear on this point. According to C99, section 6.5.5, paragraph 6:

      When integers are divided, the result of the / operator is the algebraic quotient with any fractional part discarded.) If the quotient a/b is representable, the expression (a/b)*b + a%b shall equal a.

      But, as noted above, INT_MIN/-1 is not representable (as a signed int); therefore one can argue that INT_MIN % -1 is undefined according to the standard.

      1. Because the result of the INT_MIN % -1 operation is representable, I think the standard requires that the operation not overflow.

        1. C11 modified the wording slightly:

          When integers are divided, the result of the / operator is the algebraic quotient with any fractional part discarded. If the quotient a/b is representable, the expression (a/b)*b + a%b shall equal a; otherwise, the behavior of both a/b and a%b is undefined.

          The key part, to me, is "if the quotient a/b is representable...otherwise, the behavior of both a/b and a%b is undefined."

           

          Since INT_MIN/-1 is not representable, I believe INT_MIN % -1 is undefined as well, regardless of whether the result is representable.

          1. Yes, that's right.  We actually participated in this discussion in WG14.  INT_MIN % -1 is explicitly undefined behavior in C11.

  8. Do we know of machines on which the two's complement solutions run faster than the general solutions? I just tested both solutions for signed addition on the andrew linux machines and found the two's complement solution was about 50% slower.

  9. I've mostly reviewed this rule.  I'm just wondering if it is ok to call the UWIDTH() macro on an unsigned integer type to get the width of a signed integer type.

  10. Under "Atomic Inetgers", it says "The C Standard defines the behavior of arithmetic on atomic signed integer types to use two's complement representation with silent wraparound on overflow." 

    I'm curious to know where in the standard I can find it.

  11. There is this from subclause 7.17.7.5 paragraph 3:

     

    For signed integer types, arithmetic is defined to use two’s complement representation with silent wrap-around on overflow; there are no undefined results.

  12. However, on GCC 4.2.4 and newer, with optimization enabled, taking the remainder of LONG_MIN by −1 yields the value 0.

    I believe this is wrong or inaccurate.

    Maybe gcc will yield the answer 0 at compile time, but I don't think it will do that at run time, because that means it will be force to insert extra branch instructions at every remainder operation if it can't rule out the possibility.

    1. I agree; that was probably the result of constant folding.  I removed everything from the implementation dependent section except the description of x86.