界: Code Quality
程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。
Type Mismatch: Integer to Character
Abstract
函數會傳回轉換為
int 的 unsigned char,但傳回值會指定為 char 類型。Explanation
當轉換為整數的無符號字元指派給有符號的字元,其值可能會與
範例 1:以下程式碼讀取一個字元,並將其與
在此案例中,
EOF 無法區分。範例 1:以下程式碼讀取一個字元,並將其與
EOF 做比較。
char c;
while ( (c = getchar()) != '\n' && c != EOF ) {
...
}
在此案例中,
getchar() 的傳回值會轉換為 char,並與 EOF (int) 做比較。假設 c 是 8 位元有號值,而 EOF 是 32 位元有號值,那麼若 getchar() 傳回以 0xFF 表示的字元,則在與 EOF 比較時,c 值的正負數符號將會延伸至 0xFFFFFFFF。由於 EOF 通常會定義為-1 (0xFFFFFFFF),因此迴圈會錯誤地終止。References
[1] Distinguish between characters read from a file and EOF or WEOF CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 192
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 10.3
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 7.5, Rule 7.6, Rule 10.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 5-0-3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 7.0.5, Rule 7.0.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3550 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3550 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3550 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3550 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3550 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3550 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3550 CAT I
desc.structural.cpp.type_mismatch_integer_to_character