Avoid checking Integer overflow without explicit cast

CRITICAL

Rule Definition
Typically when performing integer overflow check the addition is compared with one of the values. The type for added operands automatically get promoted to a higher type and hence a overflow check may be faulty if it is not ensured that the output of the addition in the comparison expression is of the same type as the individual operands, explicitly. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.

Remediation
Explicitly declare all the operands of comparison as the same type

Violation Code Sample

bool OverFlowcheck(unsigned short x, unsigned short y) { return (x + y < x); }

Fixed Code Sample

bool OverFlowcheck(unsigned short int x, unsigned short int y) { return (static_cast <unsigned short int>(x + y) < x); //Fixed }

Reference

https://cwe.mitre.org/data/definitions/190.html

Related Technologies

Health Factor

Security

Technical Criterion
Secure Coding - Weak Security Features

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Don't Know

100.00%

Financial Services

100.00%

Government

100.00%

Want more stats? Register now!