mirror of
https://github.com/github/codeql.git
synced 2026-02-23 18:33:42 +01:00
e21cbe82a9
Where possible update Java documentation links to Java 11. Additionally update some other links to use HTTPS.
48 lines
1.5 KiB
XML
48 lines
1.5 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
<overview>
|
|
<p>Performing calculations on uncontrolled data can result in integer overflows
|
|
unless the input is validated.</p>
|
|
|
|
<p>If the data is not under your control, and can take extremely large values,
|
|
even arithmetic operations that would usually result in a small change in magnitude may result in overflows.</p>
|
|
|
|
</overview>
|
|
<recommendation>
|
|
|
|
<p>Always guard against overflow in arithmetic operations on uncontrolled data by doing one of the
|
|
following:</p>
|
|
|
|
<ul>
|
|
<li>Validate the data.</li>
|
|
<li>Define a guard on the arithmetic expression, so that the operation is performed only if the
|
|
result can be known to be less than, or equal to, the maximum value for the type, for example <code>MAX_VALUE</code>.</li>
|
|
<li>Use a wider type, so that larger input values do not cause overflow.</li>
|
|
</ul>
|
|
|
|
</recommendation>
|
|
<example>
|
|
|
|
<p>In this example, a random integer is generated. Because the value
|
|
is not controlled by the programmer, it could be extremely large. Performing arithmetic operations on this
|
|
value could therefore cause an overflow. To avoid this happening, the example shows how to perform
|
|
a check before performing a multiplication.</p>
|
|
|
|
<sample src="ArithmeticUncontrolled.java" />
|
|
|
|
</example>
|
|
<references>
|
|
|
|
<li>SEI CERT Oracle Coding Standard for Java:
|
|
<a href="https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow">NUM00-J. Detect or prevent integer overflow</a>.</li>
|
|
|
|
|
|
|
|
<!-- LocalWords: CWE
|
|
-->
|
|
|
|
</references>
|
|
</qhelp>
|