Difference between revisions of "Signed to unsigned conversion error"

Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/frhorton/9nls8flts.html aids facts africa] [http://s1.shard.jp/losaul/australia-getaway.html australia calculator tax
] [http://s1.shard.jp/frhorton/y6gqutu2n.html africa songhai
] [http://s1.shard.jp/galeach/new118.html indian embassy south asia
] [http://s1.shard.jp/olharder/route-66-auto.html autocad 2004 authorization
] [http://s1.shard.jp/olharder/discount-auto-part.html autothority chip
] [http://s1.shard.jp/olharder/automobile-get.html inline autocomplete
] [http://s1.shard.jp/frhorton/wntjtqor2.html early south african music
] [http://s1.shard.jp/losaul/polo-photography.html lowan australia ltd
] [http://s1.shard.jp/bireba/nod-antivirus.html antivirus scan free download
] [http://s1.shard.jp/galeach/new172.html asian girl model thumbnail young
] [http://s1.shard.jp/bireba/anyware-antivirus.html antivirus cleanup
] [http://s1.shard.jp/losaul/job-search-cairns.html animal australia enclosure small
] [http://s1.shard.jp/galeach/new165.html asian girl friends
] [http://s1.shard.jp/losaul/severe-droughts.html cheap australian web hosting
] [http://s1.shard.jp/frhorton/bnd824p72.html yardley cosmetics south africa
] [http://s1.shard.jp/galeach/new7.html calendar and asian and woman
] [http://s1.shard.jp/bireba/panda-antivirus.html pc magazine antivirus
] [http://s1.shard.jp/galeach/map.html hamamoto asian
] [http://s1.shard.jp/bireba/download-antivirus.html etrust antivirus 7.0.139
] [http://s1.shard.jp/galeach/new62.html asian symbol
] [http://s1.shard.jp/frhorton/ds9o5dtz4.html african gift items
] [http://s1.shard.jp/losaul/vogue-australias.html apl lines australia
] [http://s1.shard.jp/olharder/automobile-dealer.html automobile dealer national] [http://s1.shard.jp/galeach/new9.html sen thai asian bistro
] [http://s1.shard.jp/frhorton/xodsctsq6.html african gray
] [http://s1.shard.jp/bireba/clamav-antivirus.html clamav antivirus download] [http://s1.shard.jp/olharder/autokillercom.html automotive lyndale service
] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus personal
] [http://s1.shard.jp/losaul/department-of-agriculture.html australian free lotto system
] [http://s1.shard.jp/galeach/new82.html asian food grocer] [http://s1.shard.jp/galeach/new125.html asia news network
] [http://s1.shard.jp/galeach/new198.html anal asian free pic
] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus roundup
] [http://s1.shard.jp/bireba/map.html winantivirus popup
] [http://s1.shard.jp/losaul/real-estate-for.html disney stores australia
] [http://s1.shard.jp/olharder/canadian-auto.html autonics sensors
] [http://s1.shard.jp/frhorton/whhjm2ac8.html african american vow wedding
] [http://s1.shard.jp/bireba/antivirus-software.html nod antivirus
] [http://s1.shard.jp/frhorton/bnm8i4pvp.html africa kids facts
] [http://s1.shard.jp/olharder/autoridad-nacional.html autoridad nacional del ambiente panama] [http://s1.shard.jp/olharder/auto-automotriz.html enchere auto
] [http://s1.shard.jp/losaul/microbiology.html workcover australian capital territory
] [http://s1.shard.jp/olharder/subasta-de-autos.html reedman toll auto world langhorne pa
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/olharder/o-riley-autoparts.html autosurf autosurf autosurfhit.com free site
] [http://s1.shard.jp/losaul/australian-landrover.html australia uranium company
] [http://s1.shard.jp/losaul/rowing-clothing.html bird sales australia
] [http://s1.shard.jp/galeach/new122.html asian option smile
] [http://s1.shard.jp/bireba/antivirus-free-download.html avg antivirus new

Revision as of 06:49, 3 June 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 06/3/2009

Vulnerabilities Table of Contents


A signed-to-unsigned conversion error takes place when a signed primitive is used as an unsigned value, usually as a size variable.


  • Availability: Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.
  • Integrity: If a poor cast leads to a buffer overflow or similar condition, data integrity may be affected.
  • Access control (instruction processing): Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Exposure period

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Design: Accessor functions may be designed to mitigate some of these logical issues.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.


  • Languages: C, C++, Fortran, Assembly
  • Operating platforms: All

Required resources




Likelihood of exploit


Often, functions will return negative values to indicate a failure state. In the case of functions which return values which are meant to be used as sizes, negative return values can have unexpected results. If these values are passed to the standard memory copy or allocation functions, they will implicitly cast the negative error, indicating value to a large unsigned value.

In the case of allocation, this may not be an issue; however, in the case of memory and string copy functions, this can lead to a buffer overflow condition which may be exploitable.

Also, if the variables in question are used as indexes into a buffer, it may result in a buffer underflow condition.

In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:

int returnChunkSize(void *) {
  /* if chunk info is valid, return the size of usable memory, 
   * else, return -1 to indicate an error

int main() {
  memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));

If returnChunkSize() happens to encounter an error, and returns -1, memcpy will assume that the value is unsigned and therefore interpret it as MAXINT-1, therefore copying far more memory than is likely available in the destination buffer.

Risk Factors




Related Attacks

Related Vulnerabilities

Related Controls

  • Requirements specification: Choose a language which is not subject to these casting flaws.
  • Design: Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors.
  • Implementation: Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible.

Related Technical Impacts


Note: A reference to related CWE or CAPEC article should be added when exists. Eg: