From 836b8965e21db083a9375729df607bd7da5cf192 Mon Sep 17 00:00:00 2001 From: Slavomir Date: Thu, 30 Apr 2020 16:59:30 +0300 Subject: [PATCH] Beautify .qhelp file --- .../CWE-681/IncorrectNumericConversion.qhelp | 67 +++++++++---------- 1 file changed, 31 insertions(+), 36 deletions(-) diff --git a/ql/src/experimental/CWE-681/IncorrectNumericConversion.qhelp b/ql/src/experimental/CWE-681/IncorrectNumericConversion.qhelp index 2a693d1bc57..606131ce6d9 100644 --- a/ql/src/experimental/CWE-681/IncorrectNumericConversion.qhelp +++ b/ql/src/experimental/CWE-681/IncorrectNumericConversion.qhelp @@ -1,78 +1,73 @@ +"-//Semmle//qhelp//EN" +"qhelp.dtd"> -

-If a numeric value string is parsed using strconv.Atoi into an int, and subsequently that int -is converted into another type of a lower bit size, the result can produce unexpected values. + If a numeric value string is parsed using strconv.Atoi into an int, and subsequently that int + is converted into another type of a lower bit size, the result can produce unexpected values.

-This also applie to the results of strconv.ParseFloat, strconv.ParseInt, -and strconv.ParseUint when the specified bit size is higher than the bit size of the -type that number is converted to. + This also applie to the results of strconv.ParseFloat, strconv.ParseInt, + and strconv.ParseUint when the specified bit size is higher than the bit size of the + type that number is converted to.

-

-If you need to parse numeric values with specific bit sizes, avoid strconv.Atoi, and, instead, -use the functions specific to each type (strconv.ParseFloat, strconv.ParseInt, -strconv.ParseUint) that also allow to specify the wanted bit size. + If you need to parse numeric values with specific bit sizes, avoid strconv.Atoi, and, instead, + use the functions specific to each type (strconv.ParseFloat, strconv.ParseInt, + strconv.ParseUint) that also allow to specify the wanted bit size.

-When using those functions, be careful to not convert the result to another type with a lower bit size than -the bit size you specified when parsing the number. + When using those functions, be careful to not convert the result to another type with a lower bit size than + the bit size you specified when parsing the number.

-If this is not possible, then add upper (and lower) bound checks specific to each type and -bit size (you can find the min and max value for each type in the `math` package). + If this is not possible, then add upper (and lower) bound checks specific to each type and + bit size (you can find the min and max value for each type in the `math` package).

-

-In the first example, assume that an input string is passed to parseAllocateBad1 function, -parsed by strconv.Atoi, and then converted into an int32 type: + In the first example, assume that an input string is passed to parseAllocateBad1 function, + parsed by strconv.Atoi, and then converted into an int32 type:

-The bounds are not checked, so this means that if the provided number is greater than max int32, -the resulting value from the conversion will be different from the actual provided value. + The bounds are not checked, so this means that if the provided number is greater than max int32, + the resulting value from the conversion will be different from the actual provided value.

-To avoid unexpected values, you should either use the other functions provided by the strconv -package to parse the specific types and bit sizes; in this case, strconv.ParseInt as you -can see in parseAllocateGood2 function; or check bounds as in parseAllocateGood1 -function. + To avoid unexpected values, you should either use the other functions provided by the strconv + package to parse the specific types and bit sizes; in this case, strconv.ParseInt as you + can see in parseAllocateGood2 function; or check bounds as in parseAllocateGood1 + function.

-

-In the second example, assume that an input string is passed to parseAllocateBad2 function, -parsed by strconv.ParseInt with a bit size set to 64, and then converted into an int32 type: + In the second example, assume that an input string is passed to parseAllocateBad2 function, + parsed by strconv.ParseInt with a bit size set to 64, and then converted into an int32 type:

-If the provided number is greater than max int32, the resulting value from the conversion will be -different from the actual provided value. + If the provided number is greater than max int32, the resulting value from the conversion will be + different from the actual provided value.

-To avoid unexpected values, you should specify the correct bit size as in parseAllocateGood3; -or check bounds before making the conversion as in parseAllocateGood4. + To avoid unexpected values, you should specify the correct bit size as in parseAllocateGood3; + or check bounds before making the conversion as in parseAllocateGood4.

-
  • -mitre.org: CWE-681: Incorrect Conversion between Numeric Types. + mitre.org: CWE-681: Incorrect Conversion between Numeric Types.
  • -mitre.org: CWE-190: Integer Overflow or Wraparound. + mitre.org: CWE-190: Integer Overflow or Wraparound.
    • -     + \ No newline at end of file