Incorrect Conversion between Numeric Types

Draft Base

Structure: Simple

Description

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Common Consequences 1

Scope: OtherIntegrity

Impact: Unexpected StateQuality Degradation

The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability.

Potential Mitigations 1

Phase: Implementation

Avoid making conversion between numeric types. Always check for the allowed ranges.

Demonstrative Examples 4

In the following Java example, a float literal is cast to an integer, thus causing a loss of precision.

Code Example:Bad
Java
java

This code adds a float and an integer together, casting the result to an integer.

Code Example:Bad
PHP
php

Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences.

ID : DX-73

In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

Code Example:Bad
C
c

If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

ID : DX-74

In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

Code Example:Bad
C
c

If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

Observed Examples 6

CVE-2022-2639Chain: integer coercion error (Integer Coercion Error) prevents a return value from indicating an error, leading to out-of-bounds write (Out-of-bounds Write)

CVE-2021-43537Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (Incorrect Conversion between Numeric Types) and potentially leading to an integer overflow (Integer Overflow or Wraparound). If an integer overflow occurs, this can cause heap memory corruption (Heap-based Buffer Overflow)

CVE-2007-4268Chain: integer signedness error (Signed to Unsigned Conversion Error) passes signed comparison, leading to heap overflow (Heap-based Buffer Overflow)

CVE-2007-4988Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.

CVE-2009-0231Integer truncation of length value leads to heap-based buffer overflow.

CVE-2008-3282Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.

References 1

Automated Source Code Security Measure (ASCSM)

Object Management Group (OMG)

01-2016

http://www.omg.org/spec/ASCSM/1.0/

ID: REF-962

Likelihood of Exploit

High

Applicable Platforms

Languages:

C : UndeterminedNot Language-Specific : Undetermined

Modes of Introduction