VNX-194 – Unexpected Sign Extension

Overview

On most platforms char is signed. Values 128-255 have the high bit set, so widening to int or size_t sign-extends them to negative numbers. Using a char as an array index produces a negative index. Passing a char to tolower()/toupper() without (unsigned char) cast is undefined behavior. This maps to CWE-194: Unexpected Sign Extension.

Severity: Medium | CWE: CWE-194

Remediation

// SAFE: cast to unsigned char before widening
unsigned char uc = (unsigned char)c;
int idx = uc;  // always 0-255

// SAFE: tolower/toupper
int lower = tolower((unsigned char)c);

References

CWE-194