Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
Extended Description
When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.
Time of Introduction
Implementation
Applicable Platforms
Languages
C
C++
Java
.NET
Common Consequences
Scope
Effect
Integrity
Technical Impact: Modify memory
The true value of the data is lost and corrupted data is used.
Likelihood of Exploit
Low
Demonstrative Examples
Example 1
This example, while not exploitable, shows the possible mangling of
values associated with truncation errors:
The above code, when compiled and run on certain systems, returns the
following output:
(Result)
Int MAXINT: 2147483647
Short MAXINT: -1
This problem may be exploitable when the truncated value is used as
an array index, which can happen implicitly when 64-bit values are used
as indexes, as they are truncated to 32 bits.
Example 2
In the following Java example, the method updateSalesForProduct is
part of a business application class that updates the sales information for
a particular product. The method receives as arguments the product ID and
the integer amount sold. The product ID is used to retrieve the total
product count from an inventory object which returns the count as an
integer. Before calling the method of the sales object to update the sales
count the integer values are converted to The primitive type short since the
method requires short type for the method arguments.
(Bad Code)
Example
Language: Java
...
// update sales database for number of product sold with
product ID
public void updateSalesForProduct(String productID, int
amountSold) {
// get the total number of products in inventory
database
int productCount =
inventory.getProductCount(productID);
// convert integer values to short, the method for
the
// sales object requires the parameters to be of type
short
short count = (short) productCount;
short sold = (short) amountSold;
// update sales database for product
sales.updateSalesCount(productID, count, sold);
}
...
However, a numeric truncation error can occur if the integer values
are higher than the maximum value allowed for the primitive type short.
This can cause unexpected results or loss or corruption of data. In this
case the sales database may be corrupted with incorrect data. Explicit
casting from a from a larger size primitive type to a smaller size
primitive type should be prevented. The following example an if
statement is added to validate that the integer values less than the
maximum value for the primitive type short before the explicit cast and
the call to the sales method.
(Good Code)
Example
Language: Java
...
// update sales database for number of product sold with
product ID
public void updateSalesForProduct(String productID, int
amountSold) {
// get the total number of products in inventory
database
int productCount =
inventory.getProductCount(productID);
// make sure that integer numbers are not greater
than
// maximum value for type short before converting
if ((productCount < Short.MAX_VALUE) &&
(amountSold < Short.MAX_VALUE)) {
// convert integer values to short, the method for
the
// sales object requires the parameters to be of type
short
This weakness has traditionally been under-studied and under-reported,
although vulnerabilities in popular software have been published in 2008 and
2009.
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Fit
Mapped Node Name
PLOVER
Numeric truncation error
CLASP
Truncation error
CERT C Secure Coding
INT02-C
Understand integer conversion rules
CERT C Secure Coding
INT05-C
Do not use input functions to convert character data if they
cannot handle all possible inputs
CERT C Secure Coding
INT31-C
Ensure that integer conversions do not result in lost or
misinterpreted data
CERT Java Secure Coding
NUM12-J
Ensure conversions of numeric types to narrower types do not
result in lost or misinterpreted data
CERT C++ Secure Coding
INT02-CPP
Understand integer conversion rules
CERT C++ Secure Coding
INT05-CPP
Do not use input functions to convert character data if they
cannot handle all possible inputs
CERT C++ Secure Coding
INT31-CPP
Ensure that integer conversions do not result in lost or
misinterpreted data
References
[REF-7] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Truncation", Page 259.. 1st Edition. Addison Wesley. 2006.
Description
