packz · May 19, 2013 09:00
diff --git a/bug.c b/bug.c
 /*
 * This program shows the typical programming error
 * to handle wrong the signess of a variable.
 *
 * When the variable increases and reaches its maximum
 * value it overflows and became negative.
 *
 *  $ gcc -Wall bug.c -o bug
 *  $ ./bug | head
 *   * sizeof: 2 -> max value: 65536
 *  1
 *  2
 *  3
 *  4
 *  5
 *  6
 *  7
 *  8
 *  9
 *
 * If we look at the program running we see that it doesn't
 * stop:
 *
 *  $ ./bug | grep -C 1 32768
 *  32767
 *  -32768
 *  -32767
 *  --
 *  32767
 *  -32768
 *  -32767
 *  --
 *
 * If the "cycle" variable was used in a "memcpy" then you can see
 * that is a security threat.
 *
 */
 #include <stdio.h>

 int main() {
    short cycle = 0;
    int size = sizeof(cycle);
    int max_size = 1 << (size*8);

    printf(" * sizeof: %d -> max value: %d\n", size, max_size);

    while (cycle < max_size) {
        printf("%d\n", cycle++);
    }

    return 0;
 }
	/*
	* This program shows the typical programming error
	* to handle wrong the signess of a variable.
	*
	* When the variable increases and reaches its maximum
	* value it overflows and became negative.
	*
	* $ gcc -Wall bug.c -o bug
	* $ ./bug \| head
	* * sizeof: 2 -> max value: 65536
	* 1
	* 2
	* 3
	* 4
	* 5
	* 6
	* 7
	* 8
	* 9
	*
	* If we look at the program running we see that it doesn't
	* stop:
	*
	* $ ./bug \| grep -C 1 32768
	* 32767
	* -32768
	* -32767
	* --
	* 32767
	* -32768
	* -32767
	* --
	*
	* If the "cycle" variable was used in a "memcpy" then you can see
	* that is a security threat.
	*
	*/
	#include <stdio.h>

	int main() {
	short cycle = 0;
	int size = sizeof(cycle);
	int max_size = 1 << (size*8);

	printf(" * sizeof: %d -> max value: %d\n", size, max_size);

	while (cycle < max_size) {
	printf("%d\n", cycle++);
	}

	return 0;
	}