Bad check for overflow of integer addition¶
ID: cpp/bad-addition-overflow-check
Kind: problem
Security severity: 8.1
Severity: error
Precision: very-high
Tags:
- reliability
- correctness
- security
- external/cwe/cwe-190
- external/cwe/cwe-192
Query suites:
- cpp-code-scanning.qls
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Checking for overflow of integer addition needs to be done with care, because automatic type promotion can prevent the check from working as intended, with the same value (true
or false
) always being returned.
Recommendation¶
Use an explicit cast to make sure that the result of the addition is not implicitly converted to a larger type.
Example¶
bool checkOverflow(unsigned short x, unsigned short y) {
// BAD: comparison is always false due to type promotion
return (x + y < x);
}
On a typical architecture where short
is 16 bits and int
is 32 bits, the operands of the addition are automatically promoted to int
, so it cannot overflow and the result of the comparison is always false.
The code below implements the check correctly, by using an explicit cast to make sure that the result of the addition is unsigned short
(which may overflow, in which case the comparison would evaluate to true
).
bool checkOverflow(unsigned short x, unsigned short y) {
return ((unsigned short)(x + y) < x); // GOOD: explicit cast
}