More Fun with Integers

  • Article

Just a quick note this morning to share something I found while finishing up SafeInt 3.0. This is something more helpful with 64-bit porting than with general security, though it does have some security side effects. Warning - heavy C++ programming geek content ahead -

If you declare a function like so:

bool Foo( unsigned long ul )

And then pass in a size_t, you'll be truncating when you start compiling the code as 64-bit. The compiler will warn you about this, but if you had done:

unsigned long cbSomething;
bool Baz( unsigned short s );

And then passed cbSomething to Baz, it gets truncated, and the compiler won't be any help about it. Similarly, if we passed a signed short to Foo, it gets sign extended, then cast to unsigned, potentially changing the value. The compiler won't warn about that, either. Given that integer mayhem figures strongly in both security issues and is job #1 in terms of doing a port to 64-bit, this standard behavior is less than ideal.

One of the things people asked for in SafeInt was a way to make a boxed version that wouldn't blow up unless you unboxed an invalid object. We have a version of this working internally, and I decided to make it part of SafeInt 3.0. This meant I needed to rewrite a whole lot of the internal functions to work like this:

// Boxed version
template< typename T, typename U>
bool Op( const T& t, const U& u, T& ret ) throw()

// regular SafeInt version
template< typename T, typename U>
void Op( const T& t, const U& u, T& ret )

You might wonder why I'm passing references instead of passing the integers by value. I did this largely to make 64-bit types perform a little better on 32-bit platforms, though if you read the standard carefully, it says those get passed as pointers under the covers anway. At any rate, it is slightly more desciptive C++, it seems to inline just a little bit more nicely, and I definitely had to make the return value a reference, so why not be consistent?

As I found out once I started doing the work of getting the test harness to compile, if you pass something by reference that isn't the right _size_, the compiler will not only complain, it will throw ERRORS, and you get to think about what you're doing, and whether you want to really be truncating or extending. It did complain about some things that were benign, and I had to create a couple of internal temporary variables when I needed to modify the input, but it also found some real bugs.

Any time I can get the compiler to tell me about bugs, as opposed to having to step through the code trying to figure out why something went sideways, or worse, stepping through the code trying to figure out why the instruction at 0x41414141 isn't executing because there's an exploit, then I'll take the compiler every time.