CS1
Inyteger Errors – You can't count that high!
Background
Summary: Integer values that are too large or too small may fall outside the allowable
bounds for their data type, leading to unpredictable problems that can both reduce the
robustness of your code and lead to potential security problems.
Description: Variables are stored in a block of memory of a fixed size. This means that
there is a largest and smallest value that any variable of a given data type can hold.
Mathematical operations such as addition and multiplication may lead to values that are
outside of this range. For example, if an integer variable a holds the largest possible
value, the expression a * 10 will yield a value that is outside of that range – the value
will literally be too big. This condition is an integer overflow. When you have an integer
overflow, the value stored in the variable will not be what you want. This can lead to a
variety of problems, including security vulnerabilities.
If a program attempts to assign a value that is either too large or too small to an integer
variable, there won't be enough room to hold it. When this happens, you may not have
any idea what the value of that variable might be, but it almost always won't be what you
want.
Programming languages often use a range of data types to store integer values, with
different types holding different ranges of values. In Java, short is the smallest
integer data type, followed by int and then long. The highest and lowest allowable
values for integer data types are defined as constants depending on the specific integer
type. For integers, Integer.MAX_VALUE is the largest positive integer and
Integer.MIN_VALUE is the largest negative integer. Short.MAX_VALUE, Short.
MIN_VALUE, Long.MAX_VALUE, and Long.MIN_VALUE are the corresponding values
for short and long variables.
Risk: An integer error may be exploited to cause a program crash, lead to incorrect
behavior, or present opportunities for malicious software to run code that could do bad
things to your computer.
Example of Occurrence: Many Unix operating systems store time values in 32-bit
signed (positive or negative) integers, counting the number of seconds since midnight
on January 1, 1970. On Tuesday, January 19, 2038, this value will overflow, becoming a
negative number. Although the impact of this problem in 2038 is not yet known, there
are concerns that software that projects out to future dates – including tools for
mortgage payment and retirement fund distribution – might face problems long before
then.
Source: “Year 2038 Problem” http://en.wikipedia.org/wiki/Year_2038_problem
CS1
How can I avoid integer overflow?
1. Choose your data types carefully: Choose your data types to be large enough to
hold the values you will be working with. If there's any doubt at all as to whether
the variable will have values that are too large for a short, use an int. If an int
might be too small, use a long.
2. Validate your input for ranges and reasonableness. Check input is valid and
reasonable before conducting operations.
3. Check for possible overflows: Always check results of arithmetic operations on
integers, to be sure that an overflow has not occurred. The result of multiplying
two positive integers should be at least as big as both of those integers, etc. If
you find a result that overflows, you can take appropriate action before the result
is used. This might mean reporting an exception, stopping the program, or
repeating a request for input.
CS1
Laboratory/Homework Assignment:
1) Type in the following program:
import java.util.Scanner;
public class IntegerError {
public static void main(String[] args) {
Scanner scan = new Scanner(System.in);
int i;
byte b;
short sh;
long lon;
System.out.println("Largest integer is " + Integer.MAX_VALUE);
System.out.println("Smallest integer is " + Integer.MIN_VALUE);
System.out.println("Largest byte is " + Byte.MAX_VALUE);
System.out.println("Smallest byte is " + Byte.MIN_VALUE);
System.out.println("Largest short is " + Short.MAX_VALUE);
System.out.println("Smallest short is " + Short.MIN_VALUE);
System.out.println("Largest long is " + Long.MAX_VALUE);
System.out.println("Smallest long is "+ Long.MIN_VALUE);
System.out.print("Type an integer value: ");
i = scan.nextInt();
System.out.println("Type a byte value: ");
b = scan.nextByte();
System.out.println("Type a short value: ");
sh = scan.nextShort();
System.out.println("Type a long value: ");
lon = scan.nextLong();
System.out.println("\nYou entered the following values: ");
System.out.println("Integer: " + i);
System.out.println("Byte: " + b);
System.out.println("Short: " + sh);
System.out.println("Long: " + lon);
i = Integer.MAX_VALUE + 1;
System.out.println("Integer overflow: i = " + i);
sh = (short)(sh * 10);
System.out.println("Ten times short value is " + (sh * 10));
}
}
2) Run this program until you find a value for the short that causes an error. What
happens when an integer error occurs?
3) What is the smallest value for the short that you can find that leads to an error when
it is first typed in – when the program prints “short: “ and then your value?
4) What is the smallest value that you can type that causes an error when it is
multiplied by 10?
5) For each of the following give the appropriate java declaration:
CS1
a.
b.
c.
d.
Number of students at your college
Population of Baltimore 637,455
Population of Maryland 5.6 million
the world population (6.6 billion).
6) Write a program that inputs two integers and demonstrates the following operations:
addition, subtraction, multiplication, division, and modulus. Test your program for
different sets of values. What happens when the second number is 0? A division by
zero error, while not a known security vulnerability, affects the reliability of a
program.
7) Complete the checklist below for your program.
8) Write a program that prompts the user to input the length and width of a rectangle
and then prints the rectangle’s are and perimeter
9) Write a program that inputs hours worked, pay rate, and income tax rate computes
total pay and net pay.
CS1
Security Checklist
Checklists are used in many industries including aviation and software for safety and
error checking. Complete the following security checklist to identify potential
vulnerabilities in your code.
Security Checklist
Integer Errors
Vulnerability
Course
CS1
Check each line of code
a) Underline each occurrence of an integer variable.
For each underlined variable:
2. Mark with a V any input operations that assign values to the variable.
3. Mark with a V any mathematical operations involving the variable.
4. Mark with a V any assignments made to the variable.
Possible Vulnerability!!
Discussion
1. In your own words, describe an integer overflow.
2. How could an integer error occur in your program?
3. What happens when an integer error occurs?
4. Does integer overflow generate compiler warnings or errors or runtime errors?
5. Why is multiplication particularly risky?
6. What is something you should always consider when using the division or
modulus operator?
7. Why is user input risky?
8. Name three things that you might do in your next program to prevent an integer
error from occurring.