RE: MSIE integer overflows

From: Cameron Brown (cameronat_private)
Date: Thu May 15 2003 - 16:37:03 PDT

Next message: Thijs Dalhuijsen: "possible format string in ultra edit 8.00"

Previous message: Dave McKinney: "Administrivia: Challenge Guidelines"
In reply to: Berend-Jan Wever: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm not a Javascript expert, but I think the issue isn't one of
overflow, it's that the engine doesn't really store those ints with 64
bits of precision.  Therefore, with high numbers, large == large+1;
because there isn't enough precision to know the difference.

Observe:

--------------------------------------------------
<script language="javascript">
  for (test=56; test<64; test++) {
    large = Math.pow(2,test);
    document.write('Starting with 2^'+test+' ('+large+')<br>');
    for (n=0, i=0; n<5; n++) {
      while (large+i == large) i++;
      larger = large + i;
      document.write(large+' != '+larger+'<br>');
      large = larger;
    }
    document.write('<br><br>');
  }
</script>
--------------------------------------------------

Produces the following:
--------------------------------------------------
Starting with 2^56 (72057594037927940)
72057594037927940 != 72057594037927950
72057594037927950 != 72057594037927970
72057594037927970 != 72057594037927980
72057594037927980 != 72057594037928000
72057594037928000 != 72057594037928010

Starting with 2^57 (144115188075855870)
144115188075855870 != 144115188075855900
144115188075855900 != 144115188075855940
144115188075855940 != 144115188075855970
144115188075855970 != 144115188075856000
144115188075856000 != 144115188075856030

Starting with 2^58 (288230376151711750)
288230376151711750 != 288230376151711800
288230376151711800 != 288230376151711900
288230376151711900 != 288230376151711930
288230376151711930 != 288230376151712000
288230376151712000 != 288230376151712060

Starting with 2^59 (576460752303423500)
576460752303423500 != 576460752303423600
576460752303423600 != 576460752303423700
576460752303423700 != 576460752303423900
576460752303423900 != 576460752303424000
576460752303424000 != 576460752303424100

Starting with 2^60 (1152921504606847000)
1152921504606847000 != 1152921504606847200
1152921504606847200 != 1152921504606847500
1152921504606847500 != 1152921504606847700
1152921504606847700 != 1152921504606848000
1152921504606848000 != 1152921504606848200

Starting with 2^61 (2305843009213694000)
2305843009213694000 != 2305843009213694500
2305843009213694500 != 2305843009213695000
2305843009213695000 != 2305843009213695500
2305843009213695500 != 2305843009213696000
2305843009213696000 != 2305843009213696500

Starting with 2^62 (4611686018427388000)
4611686018427388000 != 4611686018427389000
4611686018427389000 != 4611686018427390000
4611686018427390000 != 4611686018427391000
4611686018427391000 != 4611686018427392000
4611686018427392000 != 4611686018427393000

Starting with 2^63 (9223372036854776000)
9223372036854776000 != 9223372036854777000
9223372036854777000 != 9223372036854780000
9223372036854780000 != 9223372036854781000
9223372036854781000 != 9223372036854784000
9223372036854784000 != 9223372036854786000
--------------------------------------------------
This shows the resolution of the integer space at various value ranges. 

Cameron

-----Original Message-----
From: Berend-Jan Wever [mailto:SkyLinedat_private] 
Sent: Wednesday, May 14, 2003 4:00 PM
To: vuln-devat_private
Subject: Re: MSIE integer overflows


Yes:
--
i=32*256*256*256*256*256*256*256;
a=i;
b=i+1;
alert(a+'=='+b+' evaluates to '+(a==b));
--
evaluates to true

Berend-Jan Wever

----- Original Message ----- 
From: "xenophi1e" <oliver.laveryat_private>
To: <vuln-devat_private>
Sent: Wednesday, May 14, 2003 19:02
Subject: Re: MSIE integer overflows


> In-Reply-To: <004e01c319fb$7ec41050$0100a8c0@grotedoos>
> 
> 
> 
> >Not true: "++i" will increase i first and return the result of that
> 
> >increased i where "i++" will return i and then increase it:
> 
> >-- example.js --
> 
> >var i=1;
> 
> >document.write(++i); // prints 2, i=2;
> 
> >document.write(i++); // prints 2, i=3;
> 
> >-- cut here --
> 
> >
> 
> 
> 
> Yes, of course.
> 
> 
> 
> Again, I'm talking about C here, simply because I don't know JS to 
> this
> 
> level of detail. But...
> 
> 
> 
> document.write((i==++i) + ' ' + (i==++i) + '<BR>');
> 
> 
> 
> Seems like ambiguous code that might rely on unspecified behaviours.
> 
> Postincrement and preincrement are gotchas in C. For example the
> 
> following code:
> 
> 
> 
> i = 2;
> 
> printf ("%d", i++ * i++);
> 
> 
> 
> Often does not print 6 as you might think, but rather prints 4. The
> 
> reason is that the postincrement operator increments the values before
> 
> the next sequence point, not necessarily the next _operation_.
> 
> 
> 
> I was just pointing out that using expressions like i == ++i s eems a 
> bit
> 
> suspect. I'm not certain, but I believe a C compiler is free to do 
> both
> 
> increments prior to the rest of the expression. It does seem like it
> 
> should always be a tautology, though.
> 
> 
> 
> Do you get the same results if you write the same code less 
> ambiguously?
> 
> 
> 
> Cheers,
> 
> ~ol
>

Next message: Thijs Dalhuijsen: "possible format string in ultra edit 8.00"
Previous message: Dave McKinney: "Administrivia: Challenge Guidelines"
In reply to: Berend-Jan Wever: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 16 2003 - 08:49:15 PDT