It seems worthy enough of an error, nonetheless. I mean if you overflow you can overwrite memory, no?
No. I'll follow up in a bit, I'm busy right now
Aren't overflows a big bug in software used to run arbitrary code and such?
All right, sorry about that.
Anyways, there are different types of overflows. In the sense we're talking about, it is an
integer overflow. That is when you add one to the maximum number and end up with 0. The only type of vulnerability that that can lead to is a heap overflow, which is how Microsoft's JPEG decoder vulnerability came about. More on that later.
The type of overflow that you're thinking of is an array overflow. That is, when the programmer declares an array on the stack and then tries to add data to it that goes past the end of the array, it overwrites other data on the stack. And if you control a program's stack, it's game over.
Now, back to the integer overflow. This is something that people are never really taught, but that is very, very important. Here is some innocent looking C code:
int size = data[0]; // The first byte is the size, not including headers
unsigned char *buffer = malloc(size + 10); // allocate 10 extra bytes, to include the header
memcpy(buffer, data, 10); // copy the header
memcpy(buffer + 10, data + 10, size); // copy the rest of the data
That looks innocent enough. But what if the user sends a size of 0xFFFFFFF6? it will allocate size+10, or 0x00000000 bytes (due to the overflow). Then it will go ahead and copy the data into the buffer. Well, we only allocated 0 bytes, so we're overwriteing other data on the heap now. This is a head overflow, and doesn't always lead to full control of the process but often it's game over.
