Project 4: Integer Overflow to Heap Overflow

A program that simulates processing a shopping cart. It reads a list of items, each with a quantity and price_per_item. It calculates the total size needed for the item names and allocates it on the heap. Your task is to provide input that causes the size calculation to overflow, leading to a small allocation followed by a large memcpy, resulting in a heap overflow.

Quick Reference

Attribute Value
Primary Language C
Alternative Languages C++
Difficulty Level 2: Intermediate
Time Estimate Weekend
Knowledge Area Integer Overflows / Heap Overflows
Tooling GCC/Clang, GDB
Prerequisites Understanding of malloc and the heap.

What You Will Build

A program that simulates processing a shopping cart. It reads a list of items, each with a quantity and price_per_item. It calculates the total size needed for the item names and allocates it on the heap. Your task is to provide input that causes the size calculation to overflow, leading to a small allocation followed by a large memcpy, resulting in a heap overflow.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Identifying the vulnerable calculation → maps to spotting count * size patterns
  • Finding values that cause an integer overflow → maps to understanding the limits of int, unsigned int, and size_t
  • Triggering the heap overflow → maps to causing a memcpy to write out of bounds
  • Observing the crash in GDB → maps to seeing the heap corruption and corrupted malloc metadata

Key Concepts

  • Integer Overflow Dangers: SEI CERT C INT32-C. Ensure that operations on signed integers do not result in overflow.
  • Heap Allocator Internals: Basic understanding that malloc stores metadata next to allocated chunks.

Real-World Outcome

// The vulnerable C logic
// item_count and item_name_length come from user input
size_t total_size = item_count * item_name_length;

// If item_count is large and item_name_length is large,
// total_size can wrap around to be a small number.
char* buffer = malloc(total_size);

// The loop then copies `item_count * item_name_length` bytes
// (the real amount) into the tiny `buffer`.
for (int i = 0; i < item_count; i++) {
    memcpy(buffer + i * item_name_length, ...); // Heap overflow!
}

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_C_SECURE_CODING_DEEP_DIVE.md
  • “Secure Coding in C and C++” by Robert C. Seacord