CERT-INT30-C_a
Synopsis
Ensure that unsigned integer operations do not wrap.
Enabled by default
Yes
Severity/Certainty
High/High
Full description
Unsigned integer operations can wrap if the resulting value cannot be represented by the underlying representation of the integer. Integer values must not be allowed to wrap. This check warns if they are used in any of the following ways: integer operands of any pointer arithmetic, including array indexing; the assignment expression for the declaration of a variable length array; the postfix expression preceding square brackets [] or the expression in square brackets [] of a subscripted designation of an element of an array object; function arguments of type size_t or rsize_t.
Coding standards
- CERT INT30-C
Ensure that unsigned integer operations do not wrap
Code examples
The following code example fails the check and will give a warning:
#include<stdlib.h>
void example(unsigned int a, unsigned int b) {
void * p = malloc(a + b);
}
The following code example passes the check and will not give a warning about this issue:
#include <limits.h>
void example(unsigned int a, unsigned int b) {
unsigned int usum;
if (UINT_MAX - a < b) {
/* Handle error */
} else {
usum = a + b;
}
}
void post_check(unsigned int a, unsigned int b) {
unsigned int usum = a + b;
if (usum < a) {
/* Handle error */
}
}
void non_critical(unsigned int a, unsigned int b) {
// CERT-INT30-C_b warns on this though.
unsigned int usum = a + b;
}