Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-194 (未预期的符号扩展) — Vulnerability Class 4

4 vulnerabilities classified as CWE-194 (未预期的符号扩展). AI Chinese analysis included.

CWE-194 represents a critical logic error where a negative value undergoes sign extension during type conversion to a larger data type, resulting in unintended positive values. This weakness typically arises when developers assume unsigned behavior for signed integers or vice versa, leading to severe security vulnerabilities such as buffer overflows or integer overflows. Attackers exploit this by supplying carefully crafted negative inputs that, upon extension, bypass boundary checks or allocate excessive memory, allowing for arbitrary code execution or denial of service. To prevent this, developers must explicitly cast variables to the correct signed or unsigned types before arithmetic operations, validate input ranges strictly, and utilize static analysis tools to detect implicit conversions. Ensuring consistent type handling and rigorous testing of edge cases involving negative numbers is essential for maintaining application integrity and preventing exploitation of sign extension flaws.

MITRE CWE Description
The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
Common Consequences (1)
Integrity, Confidentiality, Availability, OtherRead Memory, Modify Memory, Other
When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, su…
Mitigations (1)
ImplementationAvoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.
Examples (1)
The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.
int GetUntrustedInt () { return(0x0000FFFF); } void main (int argc, char **argv) { char path[256]; char *input; int i; short s; unsigned int sz; i = GetUntrustedInt(); s = i; /* s is -1 so it passes the safety check - CWE-697 */ if (s > 256) { DiePainfully("go away!\n"); } /* s is sign-extended and saved in sz */ sz = s; /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */ printf("i=%d, s=%d, sz=%u\n", i, s, sz); input = GetUserInput("Enter pathname:"); /* strncpy interprets s as unsigned int, so it's treated as MAX_INT (CWE-195), enabling buffer overflow (CWE-119) */ strncpy(pat
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2022-32138 CODESYS runtime system prone to denial of service due to Unexpected Sign Extension — Runtime Toolkit 8.8 High2022-06-24
CVE-2021-38434 FATEK Automation WinProladder — WinProladder 7.8 High2021-10-18
CVE-2020-13544 Softmaker Office 安全漏洞 — Softmaker 7.8 -2021-01-06
CVE-2018-10887 libgit2 数字错误漏洞 — libgit2 8.1 -2018-07-10

Vulnerabilities classified as CWE-194 (未预期的符号扩展) represent 4 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.