Integer Overflows - Documentation

Link to this headingInteger Overflows

Memcpy Example:

int slice(void *dst, void *src, size_t offset, size_t size, size_t srclen){ if(offset + size > srclen){ //Integer Overflow Here return -1; } //`size_t` is an unsigned integer type memcpy(dst, src+offset, size); }

Link to this headingStrcpy Example:

Code Example:

#include <stdio.h> #include <string.h> #include <stdlib.h> unsigned int get_length(char data[]){ unsigned int size; for (size = 0; data[size] != '\0'; size++); return size; } void buffer_the_data(char data[]){ char dataBuf[32]; //copy data into dataBuf[] strcpy(dataBuf,data); printf("Data is %s\n",dataBuf); } int main(int argc, char *argv[]){ if (argc < 2){ printf("Usage: %s <DATA>\n",argv[0]); exit(-1); } unsigned char dataLen = get_length(argv[1]); if (dataLen < 32){ printf("Data is valid!\n"); buffer_the_data(argv[1]); }else{ printf("The data you entered is too large. Data must be less than 32 bytes.\n"); } return 0; }

Exploit Example:

gcc -fno-stack-protector -o int_overflow int_overflow.c ./int_overflow `python -c "print('E' * 270)"`

Link to this headingConversions from Float to Int overflow

#include <stdio.h> int main(void) { float f = 1.5f; int i, n; for(i = 0; i < 50; i++, f *= 2.0f) { n = 0; n = (int)f; // float to int is UB if overflow printf("%f, %i\n", f, n); } return 0; } /* x86 402653184.000000, 402653184 805306368.000000, 805306368 1610612736.000000, 1610612736 3221225472.000000, -2147483648 6442450944.000000, -2147483648 12884901888.000000, -2147483648 ARM 402653184.000000, 402653184 805306368.000000, 805306368 1610612736.000000, 1610612736 3221225472.000000, 2147483647 6442450944.000000, 2147483647 12884901888.000000, 2147483647 */