September 27, 2003

An Overlooked Construct and an Integer Overflow Redux

Here is an interesting article from Michael on "An Overlooked Construct and an Integer Overflow Redux". It dawned on me I didn't post this earlier when I was showing Arc some code and he wasn't sure what my integer sentry counter for overflowing was doing. This article will put it into perspective for you.

Anyways, as usual its a great article if you wish to learn how to code secure. Happy reading.

Posted by SilverStr at September 27, 2003 08:06 PM
Comments

Interesting that you post this, because this week I was reminded how easy it is to overrun an integer.

In my situation it was with a database column in MySQL. The column was of type "Integer" which is int(11). This field contained values consisting of numbers stored bytes. Worked fine for a couple of days, but when some of the values were incremented to 2GB, it caused the db value to wrap around and do strange things. By changing the datatype to bigint (which is int(20)), byte values up to billions of TB can be stored.

This issue was tricky to discover, because MySQL doesn't treat integer wraparounds as fatal errors; it just gives a warning. So by the time the problem was discovered, all the data in the db was inaccurate/unreliable.

So the lesson of this story is to review variable/data types that others have come up with, and do some simple tests around the boundary conditions.

Posted by: Wim at September 27, 2003 11:00 PM