界: Code Quality
代码质量不佳会导致不可预测的行为。对于用户来说,通常表现为可用性差。对于攻击者来说,提供了以意外方式对系统施加压力的机会。
Type Mismatch: Integer to Character
Abstract
函数将返回转换为
int 的 unsigned char,但返回值将赋给 char 类型。Explanation
当转换为整数的不带符号的字符赋给带符号的字符时,可能无法从
示例 1:以下代码会读取一个字符,并将其与
在这种情况下,来自
EOF 区别其值。示例 1:以下代码会读取一个字符,并将其与
EOF 进行比较。
char c;
while ( (c = getchar()) != '\n' && c != EOF ) {
...
}
在这种情况下,来自
getchar() 的返回值将转换为 char 并与 EOF(一个 int)进行比较。假设 c 是一个带符号的 8 位值,EOF 是一个带符号的 32 位值,那么如果 getchar() 返回由 0xFF 表示的字符,则与 EOF 相比,c 的值将是 0xFFFFFFFF 的符号扩展。由于 EOF 通常定义为 -1 (0xFFFFFFFF),因此该循环将错误地终止。References
[1] Distinguish between characters read from a file and EOF or WEOF CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 192
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 10.3
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 7.5, Rule 7.6, Rule 10.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 5-0-3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 7.0.5, Rule 7.0.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3550 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3550 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3550 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3550 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3550 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3550 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3550 CAT I
desc.structural.cpp.type_mismatch_integer_to_character