Channels ▼


Integral Security

Integer Errors

There are three common integer errors that lead to software vulnerabilities: overflow, sign errors, and truncation.

  • An integer overflow occurs when an integer is increased beyond its maximum value or decreased beyond its minimum value.
  • Truncation errors occur when an integer is converted to a smaller integer type and the value of the original integer is outside the range of the smaller type. In these cases, the low-order bits of the original value are preserved and the high-order bits are lost.
  • Sign errors occur when data is misinterpreted but there is no loss of data. Sign errors can occur when converting between signed and unsigned integers.

With few exceptions, compilers do not generally issue diagnostics for potential integer errors or report these errors at runtime. The Visual C++ .NET 2003 compiler, for example, does generates a compiler warning (C4244) when an integer value is assigned to a smaller integer type. At warning level 1, a warning will be issued if a value of type __int64 is assigned to a variable of type unsigned int. At warning level 3 and 4, a "possible loss of data" warning is issued if an integer type is converted to a smaller integer type.

As a result, preventing integer errors is primarily left to programmers and is impossible without a deep understanding of integer behavior in C and C++. It is apparent in the example below that the developer made some effort to prevent an integer overflow from occurring when multiplying cBlocks by 16:

void* AllocBlocks(size_t cBlocks) {
  // allocating no blocks is an error
  if (cBlocks == 0) return NULL; 
  // Allocate enough memory
  // Upcast the result to a 64-bit integer
  // and check against 32-bit UINT_MAX 
  // to make sure there's no overflow
  unsigned long long alloc = cBlocks * 16;
  return (alloc < UINT_MAX) 
    ? malloc(cBlocks * 16)
    : NULL;

Unfortunately, this example contains an incorrect assumption about integer behavior. The developer has assumed that because the result of multiplication is being stored in a 64-bit unsigned long long integer that the multiplication will result in a 64-bit value. This is not the case, however. To be compliant with the language standard, multiplying two 32-bit numbers in this context must yield a 32-bit result. The resulting value is zero-extended to create a 64-bit value. As a result, any overflow resulting from this multiplication will remain undetected, and the value of alloc is always less than UINT_MAX.

A good source of information on integral security is the CERT Secure Coding Standards for C and C++. The rationale for these standards is described in NIST Special Publication 500-262.

Mitigation Strategies

Mitigation strategies for integer errors include range checking, compiling with high warning levels and eliminating all warnings, testing, reviews, and safe integer operations.

Safe integer operations typically involve using a library or class that provides safe integer operations for integer values that originate from untrusted sources and are used as an array index, in any pointer arithmetic, as a length or size of an object, as the bound of an array (for example, a loop counter), as an argument to a memory allocation function, or in security critical code.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.