New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in handling of -l (length) and -D (delay) parameter #13

Open
hannob opened this Issue Apr 6, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@hannob

hannob commented Apr 6, 2018

beep contains integer overflows in the handling of the length and delay parameters.

To test compile beep with ubsan:
clang -fsanitize=undefined beep.c -o beep

And try:
./beep -l 2147483647
beep.c:299:16: runtime error: signed integer overflow: 1000 * 2147483647 cannot be represented in type 'int'

or
./beep -D 2147483647
beep.c:302:19: runtime error: signed integer overflow: 1000 * 2147483647 cannot be represented in type 'int'

The problem is that the value is multiplied by 1000. Integer overflows are undefined behavior and can thus lead to unpredictable outcome due to compiler optimizations.

This could be made safe by using unsigned variables. They could still overflow, but would "just" wrap around and lead to different values being used. Alternatively of course the inputs could be capped to values that can safely be multiplied within the size of an integer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment