CWE-194 Detail

CWE-194

Unexpected Sign Extension
High
Incomplete
2006-07-19
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Unexpected Sign Extension

The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Name: C (Undetermined)
Name: C++ (Undetermined)

Common Consequences

Scope Impact Likelihood
Integrity
Confidentiality
Availability
Other		Read Memory, Modify Memory, Other

Note: When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range.

Observed Examples

References Description

CVE-2018-10887

Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)

CVE-1999-0234

Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.

CVE-2003-0161

Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.

CVE-2007-4988

chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.

CVE-2006-1834

chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.

CVE-2005-2753

Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.

Potential Mitigations

Phases : Implementation
Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.
This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE.

References

REF-161

C Language Issues for Application Security
John McDonald, Mark Dowd, Justin Schuh.
http://www.informit.com/articles/article.aspx?p=686170&seqNum=6

REF-162

Integral Security
Robert Seacord.
https://drdobbs.com/cpp/integral-security/193501774

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

Submission

Name Organization Date Date release Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Description, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2008-11-05 +00:00 complete rewrite of the entire entry
CWE Content Team MITRE 2008-11-24 +00:00 updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2009-10-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2010-04-05 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2010-12-13 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated References, Taxonomy_Mappings
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Observed_Examples
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes