Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Type Mismatch: Integer to Character
Abstract
The function returns an
unsigned char cast to an int, but the return value is assigned to a char type.Explanation
When an unsigned character cast to an integer is assign to a signed character, its value might be indistinguishable from
Example 1: The following code reads a character and compares it to
In this case, the return value from
EOF.Example 1: The following code reads a character and compares it to
EOF.
char c;
while ( (c = getchar()) != '\n' && c != EOF ) {
...
}
In this case, the return value from
getchar() is cast to a char and compared to EOF (an int). Assuming c is a signed 8-bit value and EOF is a 32-bit signed value, then if getchar() returns a character represented by 0xFF, the value of c will be sign extended to 0xFFFFFFFF in the comparison to EOF. Since EOF is typically defined as -1 (0xFFFFFFFF), the loop will terminate erroneously.References
[1] Distinguish between characters read from a file and EOF or WEOF CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 192
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 10.3
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 7.5, Rule 7.6, Rule 10.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 5-0-3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 7.0.5, Rule 7.0.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3550 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3550 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3550 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3550 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3550 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3550 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3550 CAT I
desc.structural.cpp.type_mismatch_integer_to_character