CWE-704: Incorrect Type Conversion or Cast

Export to Word

Description

The product does not correctly convert an object, resource, or structure from one type to a different type.

Extended Description

N/A

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-2021-43537

Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
CVE: CVE-2022-3979

Chain: data visualization program written in PHP uses the "!=" operator instead of the type-strict "!==" operator (CWE-480) when validating hash values, potentially leading to an incorrect type conversion (CWE-704)

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Other — Notes:

Potential Mitigations

None listed.

Applicable Platforms

C (N/A, Often)
C++ (N/A, Often)
None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

Body: If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

unsigned int readdata () { int amount = 0; ... amount = accessmainframe(); ... return amount; }

Intro: The following code uses a union to support the representation of different types of messages. It formats messages differently, depending on their type.

Body: The code intends to process the message as a NAME_TYPE, and sets the default message to "Hello World." However, since both buf.name and buf.nameID are part of the same union, they can act as aliases for the same memory location, depending on memory layout after compilation.

#define NAME_TYPE 1 #define ID_TYPE 2 struct MessageBuffer { int msgType; union { char *name; int nameID; }; }; int main (int argc, char **argv) { struct MessageBuffer buf; char *defaultMessage = "Hello World"; buf.msgType = NAME_TYPE; buf.name = defaultMessage; printf("Pointer of buf.name is %p\n", buf.name); /* This particular value for nameID is used to make the code architecture-independent. If coming from untrusted input, it could be any value. */ buf.nameID = (int)(defaultMessage + 1); printf("Pointer of buf.name is now %p\n", buf.name); if (buf.msgType == NAME_TYPE) { printf("Message: %s\n", buf.name); } else { printf("Message: Use ID %d\n", buf.nameID); } }

Notes

No notes available.

← Back to CWE list