The case for integer overflow checks?
Andrei Alexandrescu
SeeWebsiteForEmail at erdani.org
Mon Sep 18 13:25:55 UTC 2017
On 09/15/2017 04:46 AM, Guillaume Piolat wrote:
> As a die-hard native programmer I was always disgusted by integer
> overflow checks and array bounds checks. Littering code with branches
> everywhere? Just let me go as fast possible please!
>
> Last week I was explained by security people how a part of
> vulnerabilities todays are attacks on image parsers, and how integer
> overflow checks may help there.
>
> IIRC a typical attack on image format parser is to forge an image with a
> width and height that will overflow an int.
>
> On allocation, the result of the multiplied wraps around like this:
>
> int width = parse_width_from_stream(); // eg: 131072
> int height = parse_height_from_stream(); // eg: 131073
> ubyte[] data = malloc(width * height * 4); // wraps around,
> allocates way less memory than that
For the record, with the help of std.experimental.checkedint, the change
that fixes the code would be:
malloc(width * height * 4) ==> malloc((checked(width) * height * 4).get)
That aborts the application with a message if a multiplication overflows.
Andrei
More information about the Digitalmars-d
mailing list