Repository :
http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
---------------------------------------------------------------
commit ace93c0dd61b3da84e8bf78e1fc50f4426ff5c55
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Wed Oct 30 20:42:26 2013 +0100
C Language: Mention mixed signed/unsigned comparisons
---------------------------------------------------------------
defensive-coding/en-US/C-Language.xml | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/defensive-coding/en-US/C-Language.xml
b/defensive-coding/en-US/C-Language.xml
index b039ed2..f50e36c 100644
--- a/defensive-coding/en-US/C-Language.xml
+++ b/defensive-coding/en-US/C-Language.xml
@@ -141,6 +141,20 @@
lot when implementing overflow checks.
</para>
<para>
+ Sometimes, it is necessary to compare unsigned and signed
+ integer variables. This results in a compiler warning,
+ <emphasis>comparison between signed and unsigned integer
+ expressions</emphasis>, because the comparison often gives
+ unexpected results for negative values. When adding a cast,
+ make sure that negative values are covered properly. If the
+ bound is unsigned and the checked quantity is signed, you should
+ cast the checked quantity to an unsigned type as least as wide
+ as either operand type. As a result, negative values will fail
+ the bounds check. (You can still check for negative values
+ separately for clarity, and the compiler will optimize away this
+ redundant check.)
+ </para>
+ <para>
Legacy code should be compiled with the <option>-fwrapv</option>
GCC option. As a result, GCC will provide 2's complement
semantics for integer arithmetic, including defined behavior on