AD2007: EnableCriticalCompilerWarnings¶

Summary¶

Property	Value
ID	AD2007
Name	EnableCriticalCompilerWarnings
Category	Security
Severity	Warning
Applies to	PE (Windows) with PDB files

Description¶

Certain compiler warnings should be enabled and treated as errors to detect potential security issues in code. These warnings catch common programming mistakes that could lead to vulnerabilities.

How It Works¶

The rule examines the command-line arguments stored in the PDB file for each compiland. It checks for:

Adequate warning level (/W3, /W4, or /Wall)
Critical warnings not disabled via /wdNNNN

Critical Warnings¶

Warning	Description
C4018	Signed/unsigned mismatch in comparison
C4146	Unary minus applied to unsigned type
C4244	Conversion with possible loss of data
C4267	Conversion from `size_t` to smaller type
C4302	Pointer truncation
C4308	Negative constant converted to unsigned
C4509	SEH and destructor interaction
C4532	Jump out of `__finally` block
C4533	Initialization skipped by `goto`
C4700	Uninitialized variable used
C4789	Buffer overrun in intrinsic function
C4995	Deprecated function (pragma)
C4996	Deprecated function (POSIX)

Why This Matters¶

Compiler warnings exist because decades of security research have identified code patterns that frequently lead to vulnerabilities. Disabling or ignoring these warnings often means ignoring real security bugs.

Vulnerability Classes Detected¶

Integer Issues (C4018, C4146, C4244, C4267, C4302, C4308)¶

Integer vulnerabilities are among the most common security bugs:

// C4267: size_t to int conversion
void vulnerable(size_t user_size) {
    int size = user_size;  // Truncation if user_size > INT_MAX
    char *buf = malloc(size);  // Could allocate tiny buffer
    read(fd, buf, user_size);  // Massive overflow!
}

Real-world impact: Integer truncation bugs have caused critical vulnerabilities in SSL/TLS implementations, image parsers, and kernel code.

Uninitialized Variables (C4700)¶

Using uninitialized memory leads to unpredictable behavior:

int check_password(const char *input) {
    int result;  // Not initialized!
    if (strcmp(input, correct_password) == 0)
        result = 1;
    return result;  // May return 1 even for wrong password!
}

Real-world impact: Information disclosure (reading uninitialized heap data) and authentication bypasses.

Buffer Overflows (C4789)¶

The compiler can detect some buffer overflows at compile time:

void vulnerable() {
    char buffer[10];
    strcpy(buffer, "This string is way too long");  // C4789
}

Deprecated Functions (C4995, C4996)¶

POSIX and Microsoft have deprecated unsafe functions:

gets(buffer);      // C4996 - no bounds checking possible
strcpy(dst, src);  // C4996 - use strcpy_s instead

The `/W4 /WX` Philosophy¶

The combination of high warning level (/W4) and treating warnings as errors (/WX) enforces a discipline where potential security issues must be addressed before code can compile.

Setting	Effect
`/W3`	Default level, catches many issues
`/W4`	More warnings, catches subtle bugs
`/Wall`	All warnings, very noisy
`/WX`	Treat warnings as errors

Historical Impact¶

Major software projects have reported that enabling higher warning levels and treating warnings as errors has uncovered real security vulnerabilities that had been present for years.

Performance Considerations¶

There is no runtime performance impact—warnings are compile-time checks only. The only "cost" is developer time to fix the identified issues, which is far less than the cost of a security incident.

Resolution¶

Enable Warning Level 4¶

cl.exe /W4 ...

Treat Warnings as Errors¶

cl.exe /W4 /WX ...

Project Properties¶

Open Project Properties
Navigate to C/C++ → General
Set "Warning Level" to "Level4 (/W4)"
Set "Treat Warnings As Errors" to "Yes (/WX)"

CMake¶

if(MSVC)
    add_compile_options(/W4 /WX)
endif()

Re-enable Disabled Warnings¶

If you've disabled critical warnings, re-enable them:

#pragma warning(default: 4244)  // Re-enable C4244

When to Suppress¶

This rule can be suppressed in the following scenarios:

Third-party headers: When third-party code generates warnings
Generated code: Machine-generated code that's impractical to fix
Documented exceptions: When the warning is understood and acceptable

Best Practices¶

Instead of disabling warnings, consider:

Fix the code: Address the underlying issue
Use explicit casts: static_cast<int>(size_t_value)
Scope suppressions: Use #pragma warning(push/pop) locally

#pragma warning(push)
#pragma warning(disable: 4244)
// Specific code with known safe truncation
legacy_function(static_cast<int>(value));
#pragma warning(pop)

Caveats¶

Requires PDB files with command-line information
Some older projects may have many warnings to address
Third-party dependencies may require warning suppression