[Secure Coding] master: C Language: Mention mixed signed/unsigned comparisons (ace93c0)

[fweimer at fedoraproject.org]

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git

On branch  : master

>---------------------------------------------------------------

commit ace93c0dd61b3da84e8bf78e1fc50f4426ff5c55
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Oct 30 20:42:26 2013 +0100

    C Language: Mention mixed signed/unsigned comparisons


>---------------------------------------------------------------

 defensive-coding/en-US/C-Language.xml |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/defensive-coding/en-US/C-Language.xml b/defensive-coding/en-US/C-Language.xml
index b039ed2..f50e36c 100644
--- a/defensive-coding/en-US/C-Language.xml
+++ b/defensive-coding/en-US/C-Language.xml
@@ -141,6 +141,20 @@
       lot when implementing overflow checks.
     </para>
     <para>
+      Sometimes, it is necessary to compare unsigned and signed
+      integer variables.  This results in a compiler warning,
+      <emphasis>comparison between signed and unsigned integer
+      expressions</emphasis>, because the comparison often gives
+      unexpected results for negative values.  When adding a cast,
+      make sure that negative values are covered properly.  If the
+      bound is unsigned and the checked quantity is signed, you should
+      cast the checked quantity to an unsigned type as least as wide
+      as either operand type.  As a result, negative values will fail
+      the bounds check.  (You can still check for negative values
+      separately for clarity, and the compiler will optimize away this
+      redundant check.)
+    </para>
+    <para>
       Legacy code should be compiled with the <option>-fwrapv</option>
       GCC option.  As a result, GCC will provide 2's complement
       semantics for integer arithmetic, including defined behavior on