The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
Time of Introduction
Implementation
Applicable Platforms
Languages
C
C++
Common Consequences
Scope
Effect
Integrity
Confidentiality
Availability
Other
Technical Impact: Read memory; Modify memory; Other
When an unexpected sign extension occurs in code that operates
directly on memory buffers, such as a size value or a memory index, then
it could cause the program to write or read outside the boundaries of
the intended buffer. If the numeric value is associated with an
application-level resource, such as a quantity or price for a product in
an e-commerce site, then the sign extension could produce a value that
is much higher (or lower) than the application's allowable range.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
The following code reads a maximum size and performs a sanity check
on that size. It then performs a strncpy, assuming it will not exceed the
boundaries of the array. While the use of "short s" is forced in this
particular example, short int's are frequently used within real-world code,
such as code that processes structured data.
(Bad Code)
Example
Language: C
int GetUntrustedInt () {
return(0x0000FFFF);
}
void main (int argc, char **argv) {
char path[256];
char *input;
int i;
short s;
unsigned int sz;
i = GetUntrustedInt();
s = i;
/* s is -1 so it passes the safety check - CWE-697 */
if (s > 256) {
DiePainfully("go away!\n");
}
/* s is sign-extended and saved in sz */
sz = s;
/* output: i=65535, s=-1, sz=4294967295 - your mileage may
vary */
printf("i=%d, s=%d, sz=%u\n", i, s, sz);
input = GetUserInput("Enter pathname:");
/* strncpy interprets s as unsigned int, so it's treated as
MAX_INT
(CWE-195), enabling buffer overflow (CWE-119) */
strncpy(path, input, s);
path[255] = '\0'; /* don't want CWE-170 */
printf("Path is: %s\n", path);
}
This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119).
Product uses "char" type for input character. When
char is implemented as a signed type, ASCII value 0xFF (255), a sign
extension produces a -1 value that is treated as a program-specific
separator value, effectively disabling a length check and leading to a
buffer overflow. This is also a multiple interpretation
error.
chain: signed short width value in image processor
is sign extended during conversion to unsigned int, which leads to integer
overflow and heap-based buffer overflow.
Sign extension when manipulating Pascal-style
strings leads to integer overflow and improper memory
copy.
Potential Mitigations
Phase: Implementation
Avoid using signed variables if you don't need to represent negative
values. When negative values are needed, perform sanity checks after you
save those values to larger data types, or before passing them to
functions that are expecting unsigned values.
Sign extension errors can lead to buffer overflows and other memory-based
problems. They are also likely to be factors in other weaknesses that are
not based on memory operations, but rely on numeric calculation.
This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.
More information is available — Please select a different filter.
Page Last Updated:
May 05, 2017
Use of the Common Weakness Enumeration and the associated references from this website are subject to the
Terms of Use. For more information, please email
cwe@mitre.org.
Description
