// Security anti-pattern for integer overflow vulnerabilities (CWE-190). Use when generating or reviewing code that performs arithmetic on user-controlled values, handles sizes/quantities, or calculates prices/amounts. Detects overflow in validated inputs.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | integer-overflow-anti-pattern |
| description | Security anti-pattern for integer overflow vulnerabilities (CWE-190). Use when generating or reviewing code that performs arithmetic on user-controlled values, handles sizes/quantities, or calculates prices/amounts. Detects overflow in validated inputs. |
Severity: High
Integer overflow occurs when arithmetic operations exceed the maximum value for a data type, causing values to wrap around to small or negative numbers instead of erroring. Individually valid user-controlled inputs combined in calculations create exploitable conditions. Attackers bypass security checks, trigger buffer overflows, and manipulate financial transactions through overflow exploitation.
Never perform arithmetic operations on user-controlled inputs without checking for overflow. Individual input validation is insufficient.
// VULNERABLE: Individual values are checked, but their multiplication can overflow.
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
void process_purchase(uint32_t quantity, uint32_t price_per_item) {
// Both inputs are validated and seem reasonable on their own.
if (quantity > 1000) {
printf("Error: Quantity too high.\n");
return;
}
if (price_per_item > 100000) {
printf("Error: Price per item too high.\n");
return;
}
// Attacker sets `quantity = 50000` and `price_per_item = 100000`.
// Both might pass initial checks if those checks are weak.
// The expected total is 5,000,000,000.
// The maximum value for a 32-bit unsigned integer is 4,294,967,295.
uint32_t total_cost = quantity * price_per_item; // OVERFLOW!
// The `total_cost` wraps around to a small number (705,032,704 in this case).
// The attacker is charged a fraction of the real price.
printf("Charging customer: %u\n", total_cost);
charge_customer(total_cost);
}
// SECURE: Check for potential overflow before performing the multiplication.
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
void process_purchase_safe(uint32_t quantity, uint32_t price_per_item) {
if (quantity > 1000) {
printf("Error: Quantity too high.\n");
return;
}
if (price_per_item > 100000) {
printf("Error: Price per item too high.\n");
return;
}
// Pre-condition check: before multiplying, verify if the result would exceed the maximum value.
if (price_per_item > 0 && quantity > UINT32_MAX / price_per_item) {
printf("Error: Potential overflow detected. Transaction cancelled.\n");
return;
}
// The multiplication is now safe to perform.
uint32_t total_cost = quantity * price_per_item;
printf("Charging customer: %u\n", total_cost);
charge_customer(total_cost);
}
Python:
# VULNERABLE: Python 3 has arbitrary precision integers, but C extensions don't
import ctypes
def allocate_buffer(width, height, bytes_per_pixel):
# Individually valid: width=1000000, height=1000000, bytes_per_pixel=4
# Product: 4,000,000,000,000 - may overflow in C extension
size = width * height * bytes_per_pixel
# When passed to C extension expecting int32:
buffer = ctypes.create_string_buffer(size) # Overflow in C layer!
return buffer
# SECURE: Check for overflow before calculation
import sys
def allocate_buffer_safe(width, height, bytes_per_pixel):
MAX_INT32 = 2**31 - 1
# Check multiplication won't overflow
if height > 0 and width > MAX_INT32 // (height * bytes_per_pixel):
raise ValueError("Buffer size would overflow")
size = width * height * bytes_per_pixel
if size > MAX_INT32:
raise ValueError(f"Buffer size {size} exceeds maximum")
buffer = ctypes.create_string_buffer(size)
return buffer
JavaScript:
// VULNERABLE: JavaScript numbers are 64-bit floats but lose precision
function calculateTotal(quantity, pricePerUnit) {
// Numbers > 2^53 lose precision
// quantity=10000000000000, pricePerUnit=100
const total = quantity * pricePerUnit; // Precision loss!
return total;
}
// SECURE: Use BigInt for large calculations
function calculateTotalSafe(quantity, pricePerUnit) {
const MAX_SAFE = Number.MAX_SAFE_INTEGER; // 2^53 - 1
// Check for overflow before calculating
if (quantity > MAX_SAFE / pricePerUnit) {
throw new Error('Calculation would overflow safe integer range');
}
const total = quantity * pricePerUnit;
return total;
}
// Or use BigInt for arbitrary precision
function calculateTotalBigInt(quantity, pricePerUnit) {
const total = BigInt(quantity) * BigInt(pricePerUnit);
return total;
}
Java:
// VULNERABLE: Multiplication without overflow check
public long calculateTotalPrice(int quantity, int pricePerItem) {
// Both int32, but product may overflow before promotion to long
long total = quantity * pricePerItem; // Overflow before cast!
return total;
}
// SECURE: Use Math.multiplyExact or manual checks
public long calculateTotalPriceSafe(int quantity, int pricePerItem) {
try {
// Math.multiplyExact throws ArithmeticException on overflow
return Math.multiplyExact(quantity, pricePerItem);
} catch (ArithmeticException e) {
throw new IllegalArgumentException("Price calculation overflow", e);
}
}
// Alternative: Cast to long before multiplication
public long calculateTotalPriceSafe2(int quantity, int pricePerItem) {
long total = (long) quantity * pricePerItem;
if (total > Integer.MAX_VALUE) {
throw new IllegalArgumentException("Total exceeds maximum");
}
return total;
}
rg '\*|[+]' --type c --type cpp -A 2 -B 2 (C/C++)rg 'quantity.*price|amount.*rate|size.*count' -irg '(?<!if.*)\w+\s*[*+]\s*\w+' --type ccpp/uncontrolled-arithmetic-analyzer-checker=security.intoverflowa * b), the check is if (a > MAX_INT / b). For addition (a + b), it's if (a > MAX_INT - b).long long in C, long in Java) instead of a 32-bit one.BigDecimal in Java, decimal in Python).-ftrapv in GCC/Clang) that can detect and abort on signed integer overflows.