CertC-INT07ΒΆ
Use only explicitly signed or unsigned char type for numeric values
Required inputs: IR
The three types
char,
signed char, and
unsigned char are collectively called the character
types. Compilers have the latitude to define
char to have the same range, representation, and behavior as
either
signed char or
unsigned char. Irrespective of the choice made,
char is a separate type from the other two and is not
compatible with either.
Use only
signed char and
unsigned char types for the storage and use of numeric values
because it is the only portable way to guarantee the signedness of the
character types (see
STR00-C.
Represent characters using an appropriate type for more information on
representing characters).
Noncompliant Code Example
In this noncompliant code example, the
char-type variable
c may be signed or unsigned. Assuming 8-bit, two's complement
character types, this code may print out either
i/c = 5 (unsigned) or
i/c = -17 (signed). It is much more difficult to reason about the
correctness of a program without knowing if these integers are signed or
unsigned.
char c = 200;
int i = 1000;
printf("i/c = %d\n", i/c);
Compliant Solution
In this compliant solution, the variable
c is declared as
unsigned char. The subsequent division operation is now
independent of the signedness of
char and consequently has a predictable result.
unsigned char c = 200;
int i = 1000;
printf("i/c = %d\n", i/c);
Exceptions
INT07-C-EX1:
void
FIO34-C. Use int to capture the return value of character IO functions that
might be used to check for end of file mentions that certain character IO
functions return a value of type
int. Despite being returned in an arithmetic type, the value is
not actually numeric in nature, so it is acceptable to later store the result
into a variable of type
char.
Risk Assessment
This is a subtle error that results in a disturbingly broad range of potentially severe vulnerabilities. At the very least, this error can lead to unexpected numerical results on different platforms. Unexpected arithmetic values when applied to arrays or pointers can yield buffer overflows or other invalid memory access.
| Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| INT07-C | Medium | Probable | Medium | P8 | L2 |
Related Guidelines
| SEI CERT C++ Coding Standard | VOID INT07-CPP. Use only explicitly signed or unsigned char type for numeric values |
| ISO/IEC TR 24772:2013 | Bit Representations [STR] |
| MISRA C:2012 | Rule 10.1 (required) Rule 10.3 (required) Rule 10.4 (required) |
| MITRE CWE | CWE-682, Incorrect calculation |
Possible Messages
Key |
Text |
Severity |
Disabled |
|---|---|---|---|
char_used_numerically |
Plain char datatype used for non-character data. |
None |
False |
Options
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
This rule has no individual options.