Merge pull request #5651 from Rastaban/docs-editor/c26831-1724366717

Jill Grant · web-flow · commit b9ad53a30dc5 · 2025-01-10T17:41:08.000-07:00
Add c26838 and c26839 documentation
diff --git a/docs/code-quality/c26831.md b/docs/code-quality/c26831.md
@@ -58,4 +58,6 @@ void foo(int i, int j)
 ## See also
 
 [`C26832`](c26832.md)\
-[`C26833`](c26833.md)
+[`C26833`](c26833.md)\
+[`C26838`](c26838.md)\
+[`C26839`](c26839.md)
diff --git a/docs/code-quality/c26838.md b/docs/code-quality/c26838.md
@@ -0,0 +1,62 @@
+---
+title: Warning C26838
+description: Learn about Microsoft C++ code analysis warning C26838.
+author: Rastaban
+ms.author: philc
+ms.topic: reference
+ms.date: 1/10/2025
+---
+# Warning C26838
+
+> Allocation size is the result of a signed to unsigned narrowing conversion that could result in overflow if the signed value is negative.
+
+This warning was added in Visual Studio 2022 version 17.13.
+
+## Remarks
+
+Reports that the size specified for an allocation may be the result of the conversion of a possibly negative signed value to an unsigned value. For example:
+
+```cpp
+void* CustomAlloc(size_t);
+
+int* CreateIntArray(int numberOfElements)
+{
+    int* p = (int*)CustomAlloc(numberOfElements * sizeof(int)); // Warning: C26838
+
+    return p;
+}
+```
+
+The expression `numberOfElements * sizeof(int)`, `numberOfElements` is signed and `sizeof(int)` is unsigned. On 64-bit machines, `numberOfElements` is promoted to an unsigned value when multiplied
+by `sizeof(int)`. When `numberOfElements` is negative, the resulting value may overflow or have unexpected results when passed to `CustomAlloc`.
+
+This check applies to common allocation functions like `new`, `malloc`, and `VirtualAlloc`. The check also applies to custom allocator functions that have `alloc` (case insensitive) in the function name.
+
+This check sometimes fails to recognize that certain checks can prevent overflows because the check is conservative.
+
+## Example
+
+To fix the previous code example in which `numberOfElements * sizeof(int)` might overflow due to a negative signed value, introduce a check to ensure it won't. For example:
+
+```cpp
+void* CustomAlloc(size_t);
+
+int* CreateIntArray(int numberOfElements)
+{
+    if (numberOfElements < 0)
+        return nullptr;
+
+    int* p = (int*)CustomAlloc(numberOfElements * sizeof(int));
+    // ...
+    return p;
+}
+```
+
+In the previous example, checking for a negative value addresses the `C26832` warning. Depending on the size of the types involved, this check may result in a different warning such as [`C26831`](c26831.md). For example, on a 32-bit system, both `int` and `size_t` are 32 bits, so the result of the multiplication can still overflow without negative values.
+
+## See also
+
+[`C26831`](c26831.md)\
+[`C26832`](c26832.md)\
+[`C26833`](c26833.md)\
+[`C26833`](c26839.md)
diff --git a/docs/code-quality/c26839.md b/docs/code-quality/c26839.md
@@ -0,0 +1,53 @@
+---
+title: Warning C26839
+description: Learn about Microsoft C++ code analysis warning C26839.
+author: Rastaban
+ms.author: philc
+ms.topic: reference
+ms.date: 1/10/2025
+---
+# Warning C26839
+
+> Array new allocation size is the result of a signed to unsigned narrowing conversion that could result in overflow if the signed value is negative.
+
+This warning was added in Visual Studio 2022 version 17.13.
+
+## Remarks
+
+Reports that the size specified for an array `new` allocation may be the result of the conversion of a possibly negative signed value to an unsigned value. For example:
+
+```cpp
+int* CreateIntArray(int size)
+{
+    int* intArray = new int[size];
+    return intArray;
+}
+```
+
+The expression `new int[size]`, `size` is signed. The compiler converts the signed value to an unsigned value to calculate how many bytes to be allocated for the array. When `size` is negative, the result of that calculation may overflow or have unexpected results when passed to `new`.
+
+This check is the same as [`C26838`](c26838.md), but applies only to `new T[]`.
+
+This check sometimes fails to recognize that certain checks can prevent overflows because the check is conservative.
+
+## Example
+
+To fix the previous code example in which the size calculation might overflow due to a negative signed value, introduce a check to ensure it won't. For example:
+
+```cpp
+int* CreateIntArray(int size)
+{
+    if (size < 0)
+        return nullptr;
+
+    int* intArray = new int[size];
+    return intArray;
+}
+```
+
+## See also
+
+[`C26831`](c26831.md)\
+[`C26832`](c26832.md)\
+[`C26838`](c26833.md)\
+[`C26838`](c26838.md)
diff --git a/docs/code-quality/toc.yml b/docs/code-quality/toc.yml
@@ -633,6 +633,10 @@ items:
     href: ../code-quality/c26830.md
   - name: Warning C26831
     href: ../code-quality/c26831.md
+  - name: Warning C26838
+    href: c26838.md
+  - name: Warning C26839
+    href: c26839.md
   - name: Warning C26832
     href: ../code-quality/c26832.md
   - name: Warning C26833
