Secure Coding mailing list archives

Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic)

From: michaelslists at gmail.com (michaelslists at gmail.com)
Date: Wed, 29 Mar 2006 14:57:00 +1100

Obviously there is other issues around not sanitising the data
yourself, but in the context of the reply - i.e. buffer overflows for
arbitrary code exec - java is fully protected.

any access to an array is checked by the vm.

-- Michael


On 3/29/06, Eliah Kagan <degeneracypressure at gmail.com> wrote:

On 3/29/06, Andrew van der Stock wrote:

This is not quite true.

Java does not prevent integer overflows (it will not throw an
exception). So you still have to be careful about array indexes.


On 3/28/06, michaelslists at gmail.com replied:

No you dont.

Arrays are all bounds checked; ..., that is, the following code will
throw an exception:

================================
class Foo {
  static {
    int[] m = new int[2];
    System.out.println(m[34]);
  }
}
================================


What do you mean by "overflow"? Do you mean this?

================================
class Foo {
  static {
    int m = Integer.MAX_VALUE;
    int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
    System.out.println(m);
    System.out.println(k);
    System.exit(0);
  }
}
================================

if so, I don't see how that is an issue.

-- Michael


That is an issue in a limited way--if you are trying to access a
record with a high enough number (say by adding a number to a previous
array index), you might end up accessing a record with a low number,
which could potentially compromise the security of an application if
certain assumptions are made. But this would only be within the same
array that is already being accessed. The risk is minimal compared to
the risks of accessing past the end of an array in, say, C.

Even with bounds checking, there is no general way for a programming
language to stop the programmer from writing a program that accesses
the wrong piece of data in within a data structure, causing a security
problem. Java was never designed to solve this sort of problem. Java
does abstract data access so that many common bugs like buffer
overflows are prevented, which is very useful.

-Eliah

Current thread:

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 26)
- <Possible follow-ups>
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists at gmail.com (Mar 28)
  - Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)
    - Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists at gmail.com (Mar 28)
    - Java integer overflows (was: a really long topic) Andrew van der Stock (Mar 28)
    - Re: Java integer overflows (was: a really long topic) michaelslists at gmail.com (Mar 28)
    - Message not available
    - Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) michaelslists at gmail.com (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists at gmail.com (Mar 28)
  - Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code der Mouse (Mar 29)