[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Java integer overflows (was: a really long topic)

To: Andrew van der Stock <vanderaj@xxxxxxxxxx>, michaelslists@xxxxxxxxx
Subject: Re: [Full-disclosure] Java integer overflows (was: a really long topic)
From: Simon Roberts <thorpflyer@xxxxxxxxx>
Date: Wed, 29 Mar 2006 10:43:06 -0800 (PST)

Seems to me that such ranges are application specific and therefore
your problem, not the JVMs. You're describing a bug in your code, due
to failure to validate, not a bug in the JVM which behaves exactly (and
quite possibly provably) according to its specification.

--- Andrew van der Stock <vanderaj@xxxxxxxxxx> wrote:

> I'm not talking arbitrary code execution, I'm talking about odd code 
> 
> paths, bizarre outcomes, and DoS.
> 
> For example (found via 19 Sins, Viega, Howard and LeBlanc):
> http://seclists.org/lists/bugtraq/2004/Nov/0097.html
> 
> I know Michael reads webappsec, he may have more examples.
> 
> In my own code testing, I look for silly behaviors if a user can  
> insert a large or negative number. You'd be surprised how often it  
> occurs. There is no excuse not to include basic range checks when  
> performing data validation.
> 
> thanks,
> Andrew
> 
> On 29/03/2006, at 2:30 PM, michaelslists@xxxxxxxxx wrote:
> 
> > No you dont.
> >
> > Arrays are all bounds checked; ..., that is, the following code
> will
> > throw an exception:
> >
> > ================================
> > class Foo {
> >   static {
> >     int[] m = new int[2];
> >     System.out.println(m[34]);
> >   }
> > }
> > ================================
> >
> >
> > What do you mean by "overflow"? Do you mean this?
> >
> > ================================
> > class Foo {
> >   static {
> >     int m = Integer.MAX_VALUE;
> >     int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
> >     System.out.println(m);
> >     System.out.println(k);
> >     System.exit(0);
> >   }
> > }
> > ================================
> >
> > if so, I don't see how that is an issue.
> >
> > -- Michael
> >
> >
> >
> > On 3/29/06, Andrew van der Stock <vanderaj@xxxxxxxxxx> wrote:
> >> This is not quite true.
> >>
> >> Java does not prevent integer overflows (it will not throw an
> >> exception). So you still have to be careful about array indexes.
> >>
> >> Andrew
> 
> > _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


"You can tell whether a man is clever by his answers. You can tell whether a 
man is wise by his questions." ? Naguib Mahfouz

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- RE: [Full-disclosure] Java integer overflows (was: a really long topic)
  - From: Tim Hollebeek

References:
- [Full-disclosure] Java integer overflows (was: a really long topic)
  - From: Andrew van der Stock

Prev by Date: Re: [Full-disclosure] Security Alert: Unofficial IE patches appear oninternet
Next by Date: [Full-disclosure] [ GLSA 200603-26 ] bsd-games: Local privilege escalation in tetris-bsd
Previous by thread: [Full-disclosure] Re: Java integer overflows (was: a really long topic)
Next by thread: RE: [Full-disclosure] Java integer overflows (was: a really long topic)
Index(es):
- Date
- Thread