Skip to content

Integer Overflows

Integer Overflows

Memcpy Example:

int slice(void *dst, void *src, size_t offset, size_t size, size_t srclen){
	if(offset + size > srclen){ //Integer Overflow Here
		return -1;
	}
	//`size_t` is an unsigned integer type
	memcpy(dst, src+offset, size);
}

Strcpy Example:

Code Example:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

unsigned int get_length(char data[]){
    unsigned int size;
    for (size = 0; data[size] != '\0'; size++);
    
    return size;
}

void buffer_the_data(char data[]){
    char dataBuf[32];
    //copy data into dataBuf[]
    strcpy(dataBuf,data);
    printf("Data is %s\n",dataBuf);
}

int main(int argc, char *argv[]){
    
    if (argc < 2){
        printf("Usage: %s <DATA>\n",argv[0]);
        exit(-1);
    }
    
    unsigned char dataLen = get_length(argv[1]);
    
    if (dataLen < 32){
        printf("Data is valid!\n");
        buffer_the_data(argv[1]);
    }else{
        printf("The data you entered is too large. Data must be less than 32 bytes.\n");
    }
    
    return 0;
}

Exploit Example:

gcc -fno-stack-protector -o int_overflow int_overflow.c
./int_overflow `python -c "print('E' * 270)"`

Conversions from Float to Int overflow

#include <stdio.h>

int main(void) {
  float f = 1.5f;
  int i, n;

  for(i = 0; i < 50; i++, f *= 2.0f) {
    n = 0;
    n = (int)f; // float to int is UB if overflow
    printf("%f, %i\n", f, n);
  }

  return 0;
}
/*
x86
402653184.000000, 402653184
805306368.000000, 805306368
1610612736.000000, 1610612736
3221225472.000000, -2147483648
6442450944.000000, -2147483648
12884901888.000000, -2147483648

ARM
402653184.000000, 402653184
805306368.000000, 805306368
1610612736.000000, 1610612736
3221225472.000000, 2147483647
6442450944.000000, 2147483647
12884901888.000000, 2147483647
*/