Integers and Integer Operations in C
Vulnerabilities, Attacks, and Mitigations |
Prof. David Bernstein |
Computer Science Department |
bernstdh@jmu.edu |
length - 2 + 1
, which is the value
passed to malloc()
void initialize_buffer(int size) { if (size < MAX_SIZE) buffer = malloc(size); else // handle the error; }
malloc
has a parameter of type
size_t
so the int
must be converted,
which could result in a too-large value if size
is negativeunsigned short int total; total = strlen(first) + strlen(last) + 1; char* both = (char *)malloc(total); strcpy(both, first); strcat(both, last);
unsigned short int
65500 + 36 + 1
meaning
total
will be assigned the value
65537 % 65536
(i.e., 1
)signed
or unsigned
rsize_t
(C11):
size_t
but explicitly used to
hold the size of a single entityrsize_t
detect constraint violations for
values greater than RSIZE_MAX
typedef
for Readability and Portability