## integer overflow

Posted by vijayram on February 4, 2007

Santosh Kumar over on the iGeeks brought to my attention about this interesting topic. I never have dug in deep to learn about this subject, since I know it could cause more harm 😉

He mentioned: ” While type casting from Number (64-bit double-precision) to int (32-bit integer) if Number value range cannot fit into integer than integer value is converted to default value ie 0.”

Interesting, but why should it default to zero?! That begged the question. Let me retrospect from my earlier post. I mentioned, anything over the range of Integer values, shall be internally operated as a “Number” data-type in Flash.

var i:int = 2147483648;

trace(describeType(i));

//-output

<type name=”Number” base=”Object” isDynamic=”false” isFinal=”true” isStatic=”false”>

<extendsClass type=”Object”/>

<constructor>

<parameter index=”1″ type=”*” optional=”true”/>

</constructor>

</type>

Wait a minute, we just came across an example of “**integer overflow**“! When an attempt is made to store a value greater than this maximum value it is known as an integer overflow. Why didn’t the compiler warn me? Apparently where is no compile-time warnings or run-time exceptions to let you this.

Integer overflows cannot be detected after they have happened, so there is not way for an application to tell if a result it has calculated previously is in fact correct. This can get dangerous if the calculation has to do with the size of a buffer or how far into an array to index.

Ok, time to understand what is happening here. Lets take the case of both the unsigned integer and signed integer overflows (there are overflows and underflows).

When an unsigned integer reaches its maximum value, it wraps around and starts over, much as a car odometer. Unsigned short integers can’t hold a number larger than 4294967295, so the value is wrapped around to 0.

var i:uint = 4294967296; //overflow

trace(i);

// output – 0

A signed integer is different from an unsigned integer, in that half of the values you can represent are negative. Instead of picturing a traditional car odometer, you might picture one that rotates up for positive numbers and down for negative numbers. One mile from 0 is either 1 or -1. When you run out of positive numbers, you run right into the largest negative numbers and then count back down to 0.

var i:int = 2147483648; // overflow

trace(i);

//output – -2147483648 (this is largest negative int value)

**Why is this important to know??**Supposing you are working with unsigned data-type, the memory would be allocated for it accordingly. If that value has wrapped around then there would be far little memory for it now available. Disaster. Or if you are comparing values with a signed integer and it has overflown to be a negative, it would it pass througn. Disaster again!! If an attempt is made to store a value in an integer which is greater than the maximum value the integer can hold, the value will be truncated. If the stored value is the result of an arithmetic operation, any part of the program which later uses the result will run incorrectly as the result of the arithmetic being incorrect.

Now, think of what impact this could have. One could exploit this if it has not been taken care for in the Flash Plugin. One cannot directly overwrite the memory but the exploitation can be subtle. This topic is out of the subject for this current post but you can read about it here on Wikipedia. Flash plugin was prone to heap buffer read overflow in the recent past.

Microsoft have there version of SafeInt class to help safeguard from this issue. All arithmetic is performed on unsigned values, which is very interesting.

Now back to Flash. Any number too big is just returned back as “infinity”. Clever!!! But why?

Lets just remember that Flash uses another data-type for arithmetic operations called “Number”. The Number data-type interoperates as “double” data-type which means it has a larger range of numbers it can store and display.

Through some debugging process, I came to know that Flash uses “int” data-type to represent any values between the range 2^29 (-268435456 to +268435455). I am not sure what happens to those extra 3 bits, though one bit would be used for the sign (+ or-). Anything over this range is held internally as a Number data-type to represent. What this implies is that, we do not have our flash player crashing if we have an overflow or underflow as this implicit casting happens internally. Anything over the range of Number will be called as “infinity”.

## Soyuz said

“Supposing you are working with unsigned data-type, the memory would be allocated for it accordingly. If that value has wrapped around then there would be far little memory for it now available.”

You sure you explaining it correct. Or you tried to explain the case where somebody want to do

malloc(a+b) where a+b overflows limit and ends up allocating less than requested amount.

## bram said

here’s your answer:

http://blog.andre-michelle.com/2007/weird_behavior_of_numbers_in_as3/

Your conclusions are completely right. This also explains why people have seen strange performance with ints, sometime a (u)int isn’t an (u)int but rather a Number:

trace(describeType(int.MAX_VALUE)); // “Number”

trace(describeType(uint.MAX_VALUE)); // “Number”

– bram

## vijayram said

Cheers Bram 🙂