Description
The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
Potential Impact
Integrity, Confidentiality, Availability, Other
Read Memory, Modify Memory, Other
Demonstrative Examples
int GetUntrustedInt () {return(0x0000FFFF);}
void main (int argc, char **argv) {
char path[256];char *input;int i;short s;unsigned int sz;
i = GetUntrustedInt();s = i;/* s is -1 so it passes the safety check - CWE-697 */if (s > 256) {DiePainfully("go away!\n");}
/* s is sign-extended and saved in sz */sz = s;
/* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */printf("i=%d, s=%d, sz=%u\n", i, s, sz);
input = GetUserInput("Enter pathname:");
/* strncpy interprets s as unsigned int, so it's treated as MAX_INT(CWE-195), enabling buffer overflow (CWE-119) */strncpy(path, input, s);path[255] = '\0'; /* don't want CWE-170 */printf("Path is: %s\n", path);
}Mitigations & Prevention
Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.
Detection Methods
- Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2018-10887 | Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) |
| CVE-1999-0234 | Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection. |
| CVE-2003-0161 | Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator va |
| CVE-2007-4988 | chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. |
| CVE-2006-1834 | chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier. |
| CVE-2005-2753 | Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy. |
Related Weaknesses
Taxonomy Mappings
- CLASP: — Sign extension error
- Software Fault Patterns: SFP1 — Glitch in computation
- CERT C Secure Coding: INT31-C — Ensure that integer conversions do not result in lost or misinterpreted data
Frequently Asked Questions
What is CWE-194?
CWE-194 (Unexpected Sign Extension) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected value...
How can CWE-194 be exploited?
Attackers can exploit CWE-194 (Unexpected Sign Extension) to read memory, modify memory, other. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-194?
Key mitigations include: Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing the
What is the severity of CWE-194?
CWE-194 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 6 real-world CVEs.