CodeQL documentation
CodeQL resources

Comparison of narrow type with wide type in loop condition

ID: cpp/comparison-with-wider-type Kind: problem Security severity: 7.8 Severity: warning Precision: high Tags: - reliability - security - external/cwe/cwe-190 - external/cwe/cwe-197 - external/cwe/cwe-835 Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

In a loop condition, comparison of a value of a narrow type with a value of a wide type may result in unexpected behavior if the wider value is sufficiently large (or small). This is because the narrower value may overflow. This can lead to an infinite loop.

Recommendation

Change the types of the compared values so that the value on the narrower side of the comparison is at least as wide as the value it is being compared with.

Example

In this example, bytes_received is compared against max_get in a while loop. However, bytes_received is an int16_t, and max_get is an int32_t. Because max_get is larger than INT16_MAX, the loop condition is always true, so the loop never terminates.

This problem is avoided in the ‘GOOD’ case because bytes_received2 is an int32_t, which is as wide as the type of max_get.

voidmain(intargc,char**argv){uint32_tbig_num=INT32_MAX;charbuf[big_num];int16_tbytes_received=0;intmax_get=INT16_MAX+1;// BAD: 'bytes_received' is compared with a value of a wider type.// 'bytes_received' overflows before reaching 'max_get',// causing an infinite loopwhile(bytes_received<max_get)bytes_received+=get_from_input(buf,bytes_received);}uint32_tbytes_received=0;// GOOD: 'bytes_received2' has a type at least as wide as 'max_get'while(bytes_received<max_get){bytes_received+=get_from_input(buf,bytes_received);}}intgetFromInput(char*buf,shortpos){// write to buf// ...return1;}

References

close