Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit ace93c0dd61b3da84e8bf78e1fc50f4426ff5c55 Author: Florian Weimer <fweimer@xxxxxxxxxx> Date: Wed Oct 30 20:42:26 2013 +0100 C Language: Mention mixed signed/unsigned comparisons >--------------------------------------------------------------- defensive-coding/en-US/C-Language.xml | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) diff --git a/defensive-coding/en-US/C-Language.xml b/defensive-coding/en-US/C-Language.xml index b039ed2..f50e36c 100644 --- a/defensive-coding/en-US/C-Language.xml +++ b/defensive-coding/en-US/C-Language.xml @@ -141,6 +141,20 @@ lot when implementing overflow checks. </para> <para> + Sometimes, it is necessary to compare unsigned and signed + integer variables. This results in a compiler warning, + <emphasis>comparison between signed and unsigned integer + expressions</emphasis>, because the comparison often gives + unexpected results for negative values. When adding a cast, + make sure that negative values are covered properly. If the + bound is unsigned and the checked quantity is signed, you should + cast the checked quantity to an unsigned type as least as wide + as either operand type. As a result, negative values will fail + the bounds check. (You can still check for negative values + separately for clarity, and the compiler will optimize away this + redundant check.) + </para> + <para> Legacy code should be compiled with the <option>-fwrapv</option> GCC option. As a result, GCC will provide 2's complement semantics for integer arithmetic, including defined behavior on -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
