V5011. OWASP. Possible overflow. Consider casting operands, not the result.
The analyzer has detected a suspicious type cast: the result of a binary operation over 32-bit values is cast to a 64-bit type.
Consider the following example:
unsigned a;
unsigned b;
....
uint64_t c = (uint64_t)(a * b);
This cast is redundant: type 'unsigned' would have been automatically promoted to type 'uint64_t' anyway when executing the assignment operation.
The developer must have intended to take measures against a possible overflow but failed to do that properly. When multiplying 'unsigned' variables, the overflow will take place anyway, and only then will the meaningless product be explicitly promoted to type 'uint64_t'.
It is one of the operands that should have been cast instead to avoid the overflow. Fixed code:
uint64_t c = (uint64_t)a * b;
This diagnostic is classified as:
|