CWE-194 - Unexpected Sign Extension

Read Time:1 Minute, 49 Second

Description

The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

Modes of Introduction:

– Implementation

Likelihood of Exploit: High

Related Weaknesses

CWE-681
CWE-681
CWE-681

Consequences

Integrity, Confidentiality, Availability, Other: Read Memory, Modify Memory, Other

When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application’s allowable range.

Potential Mitigations

Phase: Implementation

Description:

Avoid using signed variables if you don’t need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

CVE References

CVE-2018-10887
- Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)

CVE-1999-0234
- Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.

CVE-2003-0161
- Product uses “char” type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.

CVE-2007-4988
- chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.

CVE-2006-1834
- chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.

CVE-2005-2753
- Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.

InCVE-2018-10887, CWE- 194, Unexpected Sign Extension

CISA’s 2024 Review Highlights Major Efforts in Cybersecurity Industry Collaboration

Casino Players Using Hidden Cameras for Cheating

Friday Squid Blogging: Squid on Pizza

Scams Based on Fake Google Emails

Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%

The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)

US and Japan Blame North Korea for $308m Crypto Heist

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

Spyware Maker NSO Group Liable for WhatsApp User Hacks

CWE-194 – Unexpected Sign Extension

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security