CWE-681: Incorrect Conversion between Numeric Types

Description

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2022-2639

Chain: integer coercion error (CWE-192) prevents a return value from indicating an error, leading to out-of-bounds write (CWE-787)
CVE: CVE-2021-43537

Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
CVE: CVE-2007-4268

Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
CVE: CVE-2007-4988

Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
CVE: CVE-2009-0231

Integer truncation of length value leads to heap-based buffer overflow.
CVE: CVE-2008-3282

Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Unexpected State, Quality Degradation — Notes: The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability.

Potential Mitigations

Implementation: Avoid making conversion between numeric types. Always check for the allowed ranges. (N/A)

Applicable Platforms

C (N/A, Undetermined)
None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: In the following Java example, a float literal is cast to an integer, thus causing a loss of precision.

int i = (int) 33457.8f;

Intro: This code adds a float and an integer together, casting the result to an integer.

Body: Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences.

$floatVal = 1.8345; $intVal = 3; $result = (int)$floatVal + $intVal;

Intro: In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

Body: If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

unsigned int readdata () { int amount = 0; ... if (result == ERROR) amount = -1; ... return amount; }

Intro: In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

Body: If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

unsigned int readdata () { int amount = 0; ... amount = accessmainframe(); ... return amount; }

Notes

No notes available.

← Back to CWE list