Incorrect Conversion between Numeric TypesID: 681 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
When converting from one data type to another, such as long to
integer, data can be omitted or translated in a way that produces unexpected
values. If the resulting values are used in a sensitive context, then dangerous
behaviors may occur.
Likelihood of Exploit: Medium to High
Applicable PlatformsLanguage Class: Language-Independent
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
OtherIntegrity | Unexpected stateQuality degradation | The program could wind up using the wrong number and generate
incorrect results. If the number is used to allocate resources or make a
security decision, then this could introduce a vulnerability. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Avoid making conversion between numeric types. Always check for the
allowed ranges. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-681 ChildOf CWE-885 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following Java example, a float literal is cast to an
integer, thus causing a loss of precision.
- In this example the variable amount can hold a negative value when
it is returned. Because the function is declared to return an unsigned int,
amount will be implicitly converted to unsigned. (Demonstrative Example Id DX-73)
- In this example, depending on the return value of
accecssmainframe(), the variable amount can hold a negative value when it is
returned. Because the function is declared to return an unsigned value,
amount will be implicitly cast to an unsigned number. (Demonstrative Example Id DX-74)
- This code adds a float and an integer together, casting the result
to an integer.
Observed Examples
- CVE-2007-4268 : Chain: integer signedness passes signed comparison, leads to heap overflow
- CVE-2007-4988 : Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
- CVE-2009-0231 : Integer truncation of length value leads to heap-based buffer overflow.
- CVE-2008-3282 : Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CERT C Secure Coding | FLP33-C | Convert integers to floating point for floating point
operations | |
CERT C Secure Coding | FLP34-C | Ensure that floating point conversions are within range of the
new type | |
CERT C Secure Coding | INT15-C | Use intmax_t or uintmax_t for formatted IO on
programmer-defined integer types | |
CERT C Secure Coding | INT31-C | Ensure that integer conversions do not result in lost or
misinterpreted data | |
CERT C Secure Coding | INT35-C | Evaluate integer expressions in a larger size before comparing
or assigning to that size | |
CERT Java Secure Coding | NUM12-J | Ensure conversions of numeric types to narrower types do not
result in lost or misinterpreted data | |
CERT C++ Secure Coding | INT15-CPP | Use intmax_t or uintmax_t for formatted IO on
programmer-defined integer types | |
CERT C++ Secure Coding | INT31-CPP | Ensure that integer conversions do not result in lost or
misinterpreted data | |
CERT C++ Secure Coding | INT35-CPP | Evaluate integer expressions in a larger size before comparing
or assigning to that size | |
CERT C++ Secure Coding | FLP33-CPP | Convert integers to floating point for floating point
operations | |
CERT C++ Secure Coding | FLP34-CPP | Ensure that floating point conversions are within range of the
new type | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Type Conversions", Page 223.'. Published on 2006.