Difference between revisions of "Unsigned to signed conversion error"

Jump to: navigation, search
Line 85: Line 85:
* [[Buffer underwrite]]
* [[Buffer underwrite]]
==Categories ==

Revision as of 22:05, 27 May 2006


An unsigned-to-signed conversion error takes place when a large unsigned primitive is used as an signed value - usually as a size variable.


  • Availability: Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.
  • Integrity: If a poor cast lead to a buffer underwrite, data integrity may be affected.
  • Access control (instruction processing): Improper unsigned-to-signed conversions, often create buffer underwrite conditions which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Exposure period

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Design: Accessor functions may be designed to mitigate some of these logical issues.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.


  • Languages: C, C++, Fortran, Assembly
  • Operating platforms: All

Required resources




Likelihood of exploit

Low to Medium

Avoidance and mitigation

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Design: Ensure that interacting functions retain the same types and that only safe type casts must occur. If possible, use intelligent marshalling routines to translate between objects.
  • Implementation: Use out-of-data band channels for transmitting error messages if unsigned size values must be transmitted. Check all errors.
  • Build: Pay attention to compiler warnings which may alert you to improper type casting.


Although less frequent an issue than signed-to-unsigned casting, unsigned-to-signed casting can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition.

Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.


While not exploitable, the following program is an excellent example of how implicit casts, while not changing the value stored, significantly changes its use:

#include <stdio.h>
int main() {   
  int value;    
  value = (int)(~((int)0) ^ (1 << (sizeof(int)*8)));    

  printf("Max unsigned int: %u %1$x\nNow signed: %1$d %1$x\n",
  return (0);

The above code produces the following output:

Max unsigned int: 4294967295 ffffffff
Now signed: -1 ffffffff

Note how the hex value remains unchanged.

Related problems