CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-681: Incorrect Conversion between Numeric Types

 
Incorrect Conversion between Numeric Types
Weakness ID: 681 (Weakness Base)Status: Draft
+ Description

Description Summary

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Language-Independent

+ Common Consequences
ScopeEffect
Other
Integrity

Technical Impact: Unexpected state; Quality degradation

The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability.

+ Likelihood of Exploit

Medium to High

+ Demonstrative Examples

Example 1

In the following Java example, a float literal is cast to an integer, thus causing a loss of precision.

(Bad Code)
Example Language: Java 
int i = (int) 33457.8f;

Example 2

This code adds a float and an integer together, casting the result to an integer.

(Bad Code)
Example Language: PHP 
$floatVal = 1.8345;
$intVal = 3;
$result = (int)$floatVal + $intVal;

Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences.

Example 3

In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

(Bad Code)
Example Language:
unsigned int readdata () {
int amount = 0;
...
if (result == ERROR)
amount = -1;
...
return amount;
}

If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

Example 4

In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

(Bad Code)
Example Language:
unsigned int readdata () {
int amount = 0;
...
amount = accessmainframe();
...
return amount;
}

If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

+ Observed Examples
ReferenceDescription
CVE-2007-4268Chain: integer signedness passes signed comparison, leads to heap overflow
CVE-2007-4988Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
CVE-2009-0231 Integer truncation of length value leads to heap-based buffer overflow.
CVE-2008-3282Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.
+ Potential Mitigations

Phase: Implementation

Avoid making conversion between numeric types. Always check for the allowed ranges.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory136Type Errors
Development Concepts (primary)699
ChildOfCategoryCategory189Numeric Errors
Development Concepts699
ChildOfWeakness ClassWeakness Class704Incorrect Type Conversion or Cast
Research Concepts (primary)1000
ChildOfCategoryCategory738CERT C Secure Coding Section 04 - Integers (INT)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory739CERT C Secure Coding Section 05 - Floating Point (FLP)
Weaknesses Addressed by the CERT C Secure Coding Standard734
ChildOfCategoryCategory8082010 Top 25 - Weaknesses On the Cusp
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800
ChildOfCategoryCategory848CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory8672011 Top 25 - Weaknesses On the Cusp
Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors (primary)900
ChildOfCategoryCategory872CERT C++ Secure Coding Section 04 - Integers (INT)
Weaknesses Addressed by the CERT C++ Secure Coding Standard (primary)868
ChildOfCategoryCategory873CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)
Weaknesses Addressed by the CERT C++ Secure Coding Standard868
ChildOfCategoryCategory885SFP Cluster: Risky Values
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness ClassWeakness Class682Incorrect Calculation
Research Concepts1000
ParentOfCategoryCategory192Integer Coercion Error
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base194Unexpected Sign Extension
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant195Signed to Unsigned Conversion Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant196Unsigned to Signed Conversion Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base197Numeric Truncation Error
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT C Secure CodingFLP33-CConvert integers to floating point for floating point operations
CERT C Secure CodingFLP34-CEnsure that floating point conversions are within range of the new type
CERT C Secure CodingINT15-CUse intmax_t or uintmax_t for formatted IO on programmer-defined integer types
CERT C Secure CodingINT31-CEnsure that integer conversions do not result in lost or misinterpreted data
CERT C Secure CodingINT35-CEvaluate integer expressions in a larger size before comparing or assigning to that size
CERT Java Secure CodingNUM12-JEnsure conversions of numeric types to narrower types do not result in lost or misinterpreted data
CERT C++ Secure CodingINT15-CPPUse intmax_t or uintmax_t for formatted IO on programmer-defined integer types
CERT C++ Secure CodingINT31-CPPEnsure that integer conversions do not result in lost or misinterpreted data
CERT C++ Secure CodingINT35-CPPEvaluate integer expressions in a larger size before comparing or assigning to that size
CERT C++ Secure CodingFLP33-CPPConvert integers to floating point for floating point operations
CERT C++ Secure CodingFLP34-CPPEnsure that floating point conversions are within range of the new type
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Type Conversions", Page 223.. 1st Edition. Addison Wesley. 2006.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships
2008-11-24CWE Content TeamMITREInternal
updated Description, Relationships, Taxonomy_Mappings
2009-12-28CWE Content TeamMITREInternal
updated Applicable_Platforms, Likelihood_of_Exploit, Potential_Mitigations
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2011-03-29CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences, Observed_Examples, Relationships
2011-09-13CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Page Last Updated: February 18, 2014