When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. 900 Category ChildOf 867 800 Category ChildOf 808 1000 Weakness ChildOf 704 1000 Weakness CanPrecede 682 699 Category ChildOf 189 699 Category ChildOf 136 734 Category ChildOf 738 734 Category ChildOf 739 844 Category ChildOf 848 868 Category ChildOf 872 868 Category ChildOf 873 888 Category ChildOf 885 Implementation Medium to High Other Integrity Unexpected state Quality degradation The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability. Implementation Avoid making conversion between numeric types. Always check for the allowed ranges. In the following Java example, a float literal is cast to an integer, thus causing a loss of precision. Java int i = (int) 33457.8f; This code adds a float and an integer together, casting the result to an integer. PHP $floatVal = 1.8345; $intVal = 3; $result = (int)$floatVal + $intVal; Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences. In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned. C unsigned int readdata () { int amount = 0; ... if (result == ERROR) amount = -1; ... return amount; } If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number. C unsigned int readdata () { int amount = 0; ... amount = accessmainframe(); ... return amount; } If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers. CVE-2007-4268 Chain: integer signedness passes signed comparison, leads to heap overflow CVE-2007-4988 Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. CVE-2009-0231 Integer truncation of length value leads to heap-based buffer overflow. CVE-2008-3282 Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated. Mark Dowd John McDonald Justin Schuh The Art of Software Security Assessment Chapter 6, "Type Conversions", Page 223. 1st Edition Addison Wesley 2006 Convert integers to floating point for floating point operations FLP33-C Ensure that floating point conversions are within range of the new type FLP34-C Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types INT15-C Ensure that integer conversions do not result in lost or misinterpreted data INT31-C Evaluate integer expressions in a larger size before comparing or assigning to that size INT35-C Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data NUM12-J Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types INT15-CPP Ensure that integer conversions do not result in lost or misinterpreted data INT31-CPP Evaluate integer expressions in a larger size before comparing or assigning to that size INT35-CPP Convert integers to floating point for floating point operations FLP33-CPP Ensure that floating point conversions are within range of the new type FLP34-CPP Sean Eidemiller Cigital 2008-07-01 added/updated demonstrative examples Eric Dalci Cigital 2008-07-01 updated Potential_Mitigations, Time_of_Introduction CWE Content Team MITRE 2008-09-08 updated Relationships CWE Content Team MITRE 2008-11-24 updated Description, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2009-12-28 updated Applicable_Platforms, Likelihood_of_Exploit, Potential_Mitigations CWE Content Team MITRE 2010-02-16 updated Relationships CWE Content Team MITRE 2011-03-29 updated Demonstrative_Examples CWE Content Team MITRE 2011-06-01 updated Common_Consequences, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2011-06-27 updated Common_Consequences, Observed_Examples, Relationships CWE Content Team MITRE 2011-09-13 updated Relationships, Taxonomy_Mappings CWE Content Team MITRE 2012-05-11 updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings