# Integer overflow

In computer programming, an **integer overflow** occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, taking the arithmetic mean of two numbers by adding them and dividing by two, as done in many search algorithms, causes error if the sum (although not the resulting mean) is too large to be represented, and hence overflows.^{[1]} The most common result of an overflow is that the least significant representable bits of the result are stored; the result is said to *wrap*. On some processors like GPUs and DSPs, the result saturates; that is, once the maximum value is reached, any attempt to increase it always returns the maximum integer value.

## Origin

The register width of a processor determines the range of values that can be represented. Typical binary register widths include:

- 8 bits: maximum representable value 2
^{8}− 1 = 255 - 16 bits: maximum representable value 2
^{16}− 1 = 65,535 - 32 bits: maximum representable value 2
^{32}− 1 = 4,294,967,295 (the most common width for personal computers as of 2005), - 64 bits: maximum representable value 2
^{64}− 1 = 18,446,744,073,709,551,615 (the most common width for personal computers, but not necessarily their operating systems, as of 2015), - 128 bits: maximum representable value 2
^{128}− 1 = 340,282,366,920,938,463,463,374,607,431,768,211,455

Since an arithmetic operation may produce a result larger than the maximum representable value, a potential error condition may result. In the C programming language, signed integer overflow causes undefined behavior, while unsigned integer overflow causes the number to be reduced modulo a power of two, meaning that unsigned integers "wrap around" on overflow. This "wrap around" is the cause of the famous "Split Screen" in Pac-Man.^{[2]}
A "wrap around" corresponds to the fact, that e.g. if the addition of two positive integers produces an overflow, it may result in an unexpected result. For example with unsigned 32 bit integers, 4000000000u + 1000000000u = 705032704u.

In computer graphics or signal processing, it is typical to work on data that ranges from 0 to 1 or from −1 to 1. An example of this is a grayscale image where 0 represents black, 1 represents white, and values in-between represent varying shades of gray. One operation that one may want to support is brightening the image by multiplying every pixel by a constant. Saturated arithmetic allows one to just blindly multiply every pixel by that constant without worrying about overflow by just sticking to a reasonable outcome that all these pixels larger than 1 (i.e. "brighter than white") just become white and all values "darker than black" just become black.

## Security ramifications

Language | Unsigned integer | Signed integer |
---|---|---|

Ada | raise NUMERIC_ERROR | |

C | modulo power of two | undefined behavior |

C++ | modulo power of two | undefined behavior |

C# | modulo power of 2 in unchecked context; `System.OverflowException` is raised in checked context^{[3]} | |

Java | NA | ignored |

Python 2 | NA | convert to long |

Seed7 | NA | raise OVERFLOW_ERROR^{[4]} |

Scheme | NA | convert to bigNum |

Smalltalk | NA | convert to LargeInteger |

Swift | Causes error unless using special overflow operators. ^{[5]} | |

In some situations, a program may make the assumption that a variable always contains a positive value. If the variable has a signed integer type, an overflow can cause its value to wrap and become negative. This overflow violates the program's assumption and may lead to unintended behavior. Similarly, subtracting from a small unsigned value may cause it to wrap to a large positive value which may also be an unexpected behavior. Multiplying or adding two integers may result in a value that is non-negative, but unexpectedly small. If this number is used as the number of bytes to allocate for a buffer, the buffer will be allocated unexpectedly small, leading to a potential buffer overflow.

## Techniques for mitigating integer overflow problems

Programming languages implement various mitigation techniques against an accidental overflow: Ada, Seed7 (and certain variants of functional languages), trigger an exception condition on overflow, while Python (since 2.4) seamlessly converts internal representation of the number to match its growth, eventually representing it as `long`

whose capability is only limited by the available memory.^{[6]}

Run-time overflow detection implementation `AddressSanitizer`

is also available for C compilers.

List of techniques and methods that might be used to mitigate the consequences of integer overflow:

- The effects of integer-based attacks for C/C++ and how to defend against them by using subtyping in Efficient and Accurate Detection of Integer-based Attacks.
- CERT As-if Infinitely Ranged (AIR) integer model - a largely automated mechanism for eliminating integer overflow and integer truncation As-if Infinitely Ranged Integer Model

In languages with native support for Arbitrary-precision arithmetic and type safety (such as Python or Common Lisp), numbers are promoted to a larger size automatically when overflows occur, or exceptions thrown (conditions signaled) when a range constraint exists. Using such languages may thus be helpful to mitigate this issue. In some such languages, situations are however still possible where an integer overflow could occur. An example is explicit optimization of a code path which is considered a bottleneck by the profiler. In the case of Common Lisp, this is possible by using an explicit declaration to type-annotate a variable to a machine-size word (fixnum) and lower the type safety level to zero for a particular code block.^{[7]}^{[8]}^{[9]}^{[10]}

In Java 8, there are overloaded methods, for example like Math#addExact(), which will throw ArithmeticException in case of overflow.

## Example

On 30 April 2015, the Federal Aviation Authority announced it will order Boeing 787 operators to reset its electrical system periodically, to avoid an integer overflow which could lead to loss of electrical power and ram air turbine deployment, and Boeing is going to deploy a software update in the fourth quarter.^{[11]} The European Aviation Safety Agency followed on 4 May 2015.^{[12]} The error happens after 2³¹ centiseconds (248.55134814815 days), indicating a 32 bit signed integer.

It is impossible to progress past level 22 of the arcade game *Donkey Kong* because of an integer overflow in its time/bonus. *Donkey Kong* takes the level number you're on, multiplies it by 10 and adds 40. When you reach level 22 the time/bonus number is 260 which is too large for its 8-bit 256 value register so it resets itself to 0 and gives the remaining 4 as the time/bonus - not long enough to complete the level.

In *Donkey Kong Jr. Math*, when you try to calculate a number over 10000, it only shows the first 4 digits.

## See also

- Arithmetic underflow
- Arithmetic overflow
- SIGFPE
- Buffer overflow
- Heap overflow
- Stack buffer overflow
- Pointer swizzling
- Software testing
- Static code analysis

## References

- ↑ Google Research blog: Nearly All Binary Searches and Mergesorts are Broken, Joshua Bloch, 2 June 2006
- ↑ Pittman, Jamey. "The Pac-Man Dossier".
- ↑ http://msdn.microsoft.com/en-us/library/khy08726.aspx
- ↑ Seed7 manual, section 15.2.3 OVERFLOW_ERROR.
- ↑ The Swift Programming Language. Swift 2.1 Edition. October 21, 2015.
- ↑ Python documentation, section 5.1 Arithmetic conversions.
- ↑ Reddy, Abhishek (2008-08-22). "Features of Common Lisp".
- ↑ Pierce, Benjamin C. (2002).
*Types and Programming Languages*. MIT Press. ISBN 0-262-16209-1. - ↑ Wright, Andrew K.; Matthias Felleisen (1994). "A Syntactic Approach to Type Soundness".
*Information and Computation***115**(1): 38–94. doi:10.1006/inco.1994.1093. - ↑ Macrakis, Stavros (April 1982). "Safety and power" (requires subscription).
*ACM SIGSOFT Software Engineering Notes***7**(2): 25–26. doi:10.1145/1005937.1005941. - ↑ "F.A.A. Orders Fix for Possible Power Loss in Boeing 787".
*New York Times*. 30 April 2015. - ↑ "US-2015-09-07 : Electrical Power - Deactivation".
*Airworthiness Directives*. European Aviation Safety Agency. 4 May 2015.

## External links

- Phrack #60, Basic Integer Overflows
- Phrack #60, Big Loop Integer Protection
- How to implement efficiently in C
- WASC Threat Classification - Integer Overflows
- Understanding Integer Overflow in C/C++