Difference between revisions of "Cpp Coding Standards/SECURITY/IntOver"

Revision as of 18:35, 22 May 2007

Be aware that integers have limited range – not properly checking valid input ranges before doing integer arithmetic, or assigning to other integer types of insufficient range, will lead to overflows. Often, integer overflows can be used as an attack vector to launch a subsequent buffer overflow, with the fatal consequences outlined in SECURITY:NoBufferOverflow.

Hints:

• Read and understand this background article on integer overflows.

• Generally, use sal_Size for buffer sizes and counts. There is usually no reason to use a signed value here (but watch out for assignments and comparisons with signed types).

• If you perform integer arithmetic, and the result is used to index arrays, calculate sizes, or as a parameter to array-new, make sure the operands fall into a safe, and well-understood range (check before you perform the calculation). Be even more careful if the input for this aritmetics is coming from an untrusted source like values read from a document by a document parsing code.

• Be extremely careful not to pass signed integers to memory allocation functions (new, alloca, rtl_allocateMemory), as they are interpreted as unsigned integers.

• Triple-check any integer-related compiler warnings, and any cast operations that silence them.

• Be aware of the implicit buffer overflows in new[] operator.

See also Reviewing Code for Integer Manipulation Vulnerabilities.