Hosting Provided By

RE: MSIE integer overflows

From: Cameron Brown <cameron(at)greyzone.com>
Date: Thu May 15 2003 - 19:37:03 EDT

I'm not a Javascript expert, but I think the issue isn't one of overflow, it's that the engine doesn't really store those ints with 64 bits of precision. Therefore, with high numbers, large == large+1; because there isn't enough precision to know the difference.

Observe:

      while (large+i == large) i++;
      larger = large + i;
      document.write(large+' != '+larger+'
');
      large = larger;

    }
    document.write('<br><br>');
  }
</script>

Produces the following:

Starting with 2^56 (72057594037927940)

72057594037927940 != 72057594037927950
72057594037927950 != 72057594037927970
72057594037927970 != 72057594037927980
72057594037927980 != 72057594037928000
72057594037928000 != 72057594037928010

Starting with 2^57 (144115188075855870)

144115188075855870 != 144115188075855900
144115188075855900 != 144115188075855940
144115188075855940 != 144115188075855970
144115188075855970 != 144115188075856000
144115188075856000 != 144115188075856030

Starting with 2^58 (288230376151711750)

288230376151711750 != 288230376151711800
288230376151711800 != 288230376151711900
288230376151711900 != 288230376151711930
288230376151711930 != 288230376151712000
288230376151712000 != 288230376151712060

Starting with 2^59 (576460752303423500)

576460752303423500 != 576460752303423600
576460752303423600 != 576460752303423700
576460752303423700 != 576460752303423900
576460752303423900 != 576460752303424000
576460752303424000 != 576460752303424100

Starting with 2^60 (1152921504606847000)

1152921504606847000 != 1152921504606847200
1152921504606847200 != 1152921504606847500
1152921504606847500 != 1152921504606847700
1152921504606847700 != 1152921504606848000
1152921504606848000 != 1152921504606848200

Do you need help?

Starting with 2^61 (2305843009213694000)

2305843009213694000 != 2305843009213694500
2305843009213694500 != 2305843009213695000
2305843009213695000 != 2305843009213695500
2305843009213695500 != 2305843009213696000
2305843009213696000 != 2305843009213696500

Starting with 2^62 (4611686018427388000)

4611686018427388000 != 4611686018427389000
4611686018427389000 != 4611686018427390000
4611686018427390000 != 4611686018427391000
4611686018427391000 != 4611686018427392000
4611686018427392000 != 4611686018427393000

Starting with 2^63 (9223372036854776000)

9223372036854776000 != 9223372036854777000
9223372036854777000 != 9223372036854780000
9223372036854780000 != 9223372036854781000
9223372036854781000 != 9223372036854784000
9223372036854784000 != 9223372036854786000
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek


--------------------------------------------------

This shows the resolution of the integer space at various value ranges.

Cameron

-----Original Message-----

From: Berend-Jan Wever [mailto:SkyLined@edup.tudelft.nl] Sent: Wednesday, May 14, 2003 4:00 PM
To: vuln-dev@securityfocus.com
Subject: Re: MSIE integer overflows

Yes:
--

i=32*256*256*256*256*256*256*256;
a=i;
b=i+1;

alert(a+'=='+b+' evaluates to '+(a==b));
--

evaluates to true

Berend-Jan Wever

Original Message ----- From: "xenophi1e" <oliver.lavery@sympatico.ca> To: <vuln-dev@securityfocus.com> Sent: Wednesday, May 14, 2003 19:02 Subject: Re: MSIE integer overflows

> In-Reply-To: <
004e01c319fb$7ec41050$0100a8c0@grotedoos>
> 
> 
> 
> >Not true: "++i" will increase i first and return the result of that
> 
> >increased i where "i++" will return i and then increase it:
> 
> >-- example.js --
> 
> >var i=1;
> 
> >document.write(++i); // prints 2, i=2;
> 
> >document.write(i++); // prints 2, i=3;
> 
> >-- cut here --
> 
> >
> 
> 
> 
> Yes, of course.
> 
> 
> 
> Again, I'm talking about C here, simply because I don't know JS to 
> this
> 
> level of detail. But...
> 
> 
> 
> document.write((i==++i) + ' ' + (i==++i) + '
');
> 
> 
> 
> Seems like ambiguous code that might rely on unspecified behaviours.
> 
> Postincrement and preincrement are gotchas in C. For example the
> 
> following code:
> 
> 
> 
> i = 2;
> 
> printf ("%d", i++ * i++);
> 
> 
> 
> Often does not print 6 as you might think, but rather prints 4. The
> 
> reason is that the postincrement operator increments the values before
> 
> the next sequence point, not necessarily the next _operation_.
> 
> 
> 
> I was just pointing out that using expressions like i == ++i s eems a 
> bit
> 
> suspect. I'm not certain, but I believe a C compiler is free to do 
> both
> 
> increments prior to the rest of the expression. It does seem like it
> 
> should always be a tautology, though.
> 
> 
> 
> Do you get the same results if you write the same code less 
> ambiguously?
> 
> 
> 
> Cheers,
> 
> ~ol
>

Received on Fri May 16 11:51:50 2003

This message: [ Message body ]
Next message: Thijs Dalhuijsen: "possible format string in ultra edit 8.00"
Previous message: Michael Wojcik: "RE: vulndev-1 and a suggestion about the ensuing discussion"
In reply to: Berend-Jan Wever: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Reply: xenophi1e: "Re: MSIE integer overflows"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT

Can we help you?