On 09/15/2017 04:46 AM, Guillaume Piolat wrote:
As a die-hard native programmer I was always disgusted by integer
overflow checks and array bounds checks. Littering code with branches
everywhere? Just let me go as fast possible please!
Last week I was explained by security people how a part of
vulnerabilities todays are attacks on image parsers, and how integer
overflow checks may help there.
IIRC a typical attack on image format parser is to forge an image with a
width and height that will overflow an int.
On allocation, the result of the multiplied wraps around like this:
int width = parse_width_from_stream(); // eg: 131072
int height = parse_height_from_stream(); // eg: 131073
ubyte[] data = malloc(width * height * 4); // wraps around,
allocates way less memory than that
For the record, with the help of std.experimental.checkedint, the change
that fixes the code would be:
malloc(width * height * 4) ==> malloc((checked(width) * height * 4).get)
That aborts the application with a message if a multiplication overflows.
Andrei
