Integer Overflow
Integer overflow produces wrong arithmetic — often a length calculation — that later drives an undersized buffer allocation.
Definition
Integer overflow is the family of bugs in which an arithmetic operation produces a result that does not fit in the target integer type, and the result silently wraps (in C, when unsigned, or as undefined behaviour when signed). The bug is rarely the security issue on its own — the security issue arises when the wrong value flows into a subsequent length, index, or allocation calculation.
The textbook case is `malloc(count * sizeof(item))` when `count` is attacker-controlled: a sufficiently large `count` overflows the multiplication, `malloc` returns a tiny buffer, the loop that writes `count` items walks off the end. Every memory-corruption vulnerability that begins "the size calculation was wrong" is in this family.
How it works
Attacker submits a value that causes the size or length computation to wrap. The downstream code uses the wrapped value to allocate a buffer, set a loop bound, or compute an offset. The buffer is too small, the loop runs too long, or the offset lands somewhere the developer did not anticipate. The resulting out-of-bounds read or write becomes the actual exploit primitive.
Impact
Memory corruption (overflow into a too-small buffer), information disclosure (out-of-bounds read), denial of service. Combined with a heap-grooming primitive, frequently RCE.
Mitigation
Use checked arithmetic (`__builtin_add_overflow` in GCC/Clang, `std::numeric_limits` + range checks in C++, the rich stdlib in Rust). Use size_t correctly and consider the architecture's word size when reviewing 32-bit-specific overflows. Compile with UBSan in test builds to catch signed-overflow undefined behaviour.
Examples
- CVE-2018-6789 — Exim integer overflow leading to heap buffer overflow.