logo

Unexpected Sign Extension

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when a signed number from a smaller data type is moved or cast to a larger type, causing its sign bit to be incorrectly extended. If the original value is negative, this sign extension can fill the new, higher-order bits with '1's, leading to unexpectedly large positive values and causing logic errors, buffer overflows, or security bypasses.

Extended Description

Sign extension is a standard behavior in programming languages like C and C++ when promoting a signed integer (e.g., a signed 8-bit `char`) to a larger signed type (e.g., a 32-bit `int`). The problem arises when developers don't account for this automatic behavior, especially when treating the resulting value as an unsigned number or using it for operations like memory allocation, array indexing, or length validation. A classic example is reading a byte value of `0xFF` (-1 as a signed char) into an unsigned integer, which becomes `0xFFFFFFFF` (a very large positive number), potentially leading to out-of-bounds access. To prevent this, developers must be explicit about data types during conversions. Always consider if the source data should be treated as signed or unsigned before widening it. Use explicit casts to the intended target type, and when working with raw byte data or protocol parsing, prefer unsigned types for counts and indices. Performing range checks on the source value before the conversion or using bit masks (e.g., `new_value = old_value & 0xFF`) can effectively strip unwanted sign-extended bits and ensure the resulting value matches the intended logic.
Common Consequences 1
Scope: IntegrityConfidentialityAvailabilityOther

Impact: Read MemoryModify MemoryOther

When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range.
Potential Mitigations 1
Phase: Implementation
Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.
Demonstrative Examples 1

ID : DX-23

The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.

Code Example:

Bad
C
c
This code first exhibits an example of Numeric Range Comparison Without Minimum Check, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Observed Examples 6
CVE-2018-10887Chain: unexpected sign extension (Unexpected Sign Extension) leads to integer overflow (Integer Overflow or Wraparound), causing an out-of-bounds read (Out-of-bounds Read)
CVE-1999-0234Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
CVE-2003-0161Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
CVE-2007-4988chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
CVE-2006-1834chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
CVE-2005-2753Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.
References 3
C Language Issues for Application Security
John McDonald, Mark Dowd, and Justin Schuh
25-01-2008
http://www.informit.com/articles/article.aspx?p=686170&seqNum=6
ID: REF-161
Integral Security
Robert Seacord
03-11-2006
https://drdobbs.com/cpp/integral-security/193501774(2023-04-07)
ID: REF-162
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Likelihood of Exploit

High

Applicable Platforms
Languages:
C : UndeterminedC++ : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Incorrect Conversion between Numeric Types (CWE-681)
ChildOf: Incorrect Conversion between Numeric Types (CWE-681)
ChildOf: Incorrect Conversion between Numeric Types (CWE-681)
Taxonomy Mapping
  • CLASP
  • Software Fault Patterns
  • CERT C Secure Coding
Notes
RelationshipSign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation.
MaintenanceThis entry is closely associated with signed-to-unsigned conversion errors (Signed to Unsigned Conversion Error) and other numeric errors. These relationships need to be more closely examined within CWE.