Integer overflow or wraparound
Description
Golang's `int` type size depends on the architecture of where the application is running. For 32-bit systems, `int` is 32-bit, for 64-bit systems, `int` will be 64-bit. By calling `strconv.Atoi` with a large number, the integer may overflow if the `int` return value is type converted into a smaller type (`int32` or `int16`). This could cause unexpected application behavior depending on how the resultant value is used.
Examples
Insecure Code
go
value := int16(strconv.Atoi("32768"))Secure Code
go
bigValue, _ := strconv.Atoi("32768"); if bigValue > math.MaxInt16 { log.Fatal("value too large to fit in int16") }; value := int16(bigValue)Remediation
Check that the value returned from `strconv.Atoi` will fit in the resulting integer before type conversion.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0792 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-190 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | integer overflow, wraparound |
| OWASP | A1:2017-Injection, A03:2021-Injection |