CWE-681 数值类型间的不正确转换

Incorrect Conversion between Numeric Types

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High

基本描述

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
['Other', 'Integrity']	['Unexpected State', 'Quality Degradation']	The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability.

可能的缓解方案

Implementation

策略:

Avoid making conversion between numeric types. Always check for the allowed ranges.

示例代码

例

In the following Java example, a float literal is cast to an integer, thus causing a loss of precision.

bad Java

int i = (int) 33457.8f;

例

This code adds a float and an integer together, casting the result to an integer.

bad PHP

$floatVal = 1.8345;
$intVal = 3;
$result = (int)$floatVal + $intVal;

Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences.

例

In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

bad C

unsigned int readdata () {

int amount = 0;
...
if (result == ERROR)
amount = -1;
...
return amount;

}

If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

例

In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

bad C

unsigned int readdata () {

int amount = 0;
...
amount = accessmainframe();
...
return amount;

}

If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

分析过的案例

标识	说明	链接
CVE-2007-4268	Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268
CVE-2007-4988	Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988
CVE-2009-0231	Integer truncation of length value leads to heap-based buffer overflow.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0231
CVE-2008-3282	Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
CERT C Secure Coding	FLP34-C	CWE More Abstract	Ensure that floating point conversions are within range of the new type
CERT C Secure Coding	INT15-C		Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types
CERT C Secure Coding	INT31-C	CWE More Abstract	Ensure that integer conversions do not result in lost or misinterpreted data
CERT C Secure Coding	INT35-C		Evaluate integer expressions in a larger size before comparing or assigning to that size
The CERT Oracle Secure Coding Standard for Java (2011)	NUM12-J		Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
Software Fault Patterns	SFP1		Glitch in computation
OMG ASCSM	ASCSM-CWE-681

引用

REF-962 Automated Source Code Security Measure (ASCSM)

VULHUB ™