CWE-194: Unexpected Sign Extension
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
常见后果
影响范围: Integrity Confidentiality Availability Other
技术影响: Read Memory Modify Memory Other
说明: When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range.
潜在缓解措施
阶段: Implementation
描述: Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.
观察示例
参考: CVE-2018-10887
Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
参考: CVE-1999-0234
Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
参考: CVE-2003-0161
Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
参考: CVE-2007-4988
chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
参考: CVE-2006-1834
chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
参考: CVE-2005-2753
Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Sign extension error | - |
| Software Fault Patterns | SFP1 | Glitch in computation | - |
| CERT C Secure Coding | INT31-C | Ensure that integer conversions do not result in lost or misinterpreted data | CWE More Specific |