Possible integer overflow

• Rule ID: go_gosec_memory_integer_overflow
• Languages: go
• Source: integer_overflow.yml

Description

In Go, the size of an int type is not fixed and depends on the system architecture (32 bits on a 32-bit system and 64 bits on a 64-bit system). This can lead to integer overflow when a value is converted from strconv.Atoi to a smaller integer type like int32 or int16, and the value exceeds what the smaller type can hold. Integer overflow can result in unpredictable behavior and severe bugs.

Remediations

• Do check values before conversion to a smaller type. Ensure the value does not exceed the maximum value the target type can hold.
• Do always handle errors from conversion functions like strconv.Atoi to promptly address and manage conversion issues.
• Do use fixed-size types like int32 or int64 when possible to avoid overflow issues that arise from architecture-dependent sizes.

    if intValue, err := strconv.Atoi(stringValue); err == nil {
      if intValue >= math.MinInt16 && intValue <= math.MaxInt16 {
        int16Value := int16(intValue)
      }
    }

References

• Go math package for integer limits

Associated CWE

• CWE-190: Integer Overflow or Wraparound

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_memory_integer_overflow

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_memory_integer_overflow