Skip to content

fix: guard vector byte-count multiplications against size overflow#38

Open
orbisai0security wants to merge 2 commits into
brightprogrammer:masterfrom
orbisai0security:fix-v001-integer-overflow-vec-memmove
Open

fix: guard vector byte-count multiplications against size overflow#38
orbisai0security wants to merge 2 commits into
brightprogrammer:masterfrom
orbisai0security:fix-v001-integer-overflow-vec-memmove

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented May 15, 2026
edited
Loading

Summary

This PR adds overflow checks before computing byte counts for vector memory operations.

Several vector insert/remove paths compute sizes, such as:

  • aligned_size * count
  • count * vec_aligned_size(vec)
  • (vec->length - start - count) * vec_aligned_size(vec)

These values are then passed to MemMove / MemSet. If the multiplication overflows size, the resulting byte count may no longer match the intended logical element count.

This change adds explicit guards before those multiplications, so the operation fails early rather than proceeding with a wrapped size value.

This is intended as defensive robustness / integer-overflow hardening. It is not claiming a demonstrated exploitable vulnerability without a concrete reproducer.

Changes

  • Source/Misra/Std/Container/Vec.c

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-001 security vulnerability
e53bd22 
Automated security fix generated by Orbis Security AI
@brightprogrammer
Copy link
Copy Markdown
Owner

brightprogrammer commented May 15, 2026

While the claim of no overflow check being there is correct, I fail to see why this is a CRITICAL vulnerability. An attached ASAN report + a POC would've been helpful to support your claims.

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented May 15, 2026

Thanks, that’s fair feedback. I agree that “CRITICAL” is too strong without a concrete reproducer.

The issue I was trying to address is narrower: several vector operations compute byte counts for MemMove/MemSet as aligned_size * count or similar, without first checking whether the multiplication can overflow size. If very large item_size/alignment/count values are passed to these APIs, the computed byte count can overflow, and the vector’s logical length/capacity arithmetic may no longer correspond to the actual memory operation size.

I should have framed this as defensive integer-overflow hardening rather than a demonstrated critical vulnerability. I'll update the PR title/description accordingly, remove the “critical” wording, and keep the PR scoped as a robustness/MISRA-style bounds check.

Would you be open to reviewing it under that framing?

@orbisai0security orbisai0security changed the title fix: multiple memmove calls in vec in Vec.c fix: guard vector byte-count multiplications against size overflow May 15, 2026
@brightprogrammer
Copy link
Copy Markdown
Owner

brightprogrammer commented May 15, 2026

Your first few checks have checks placed on count as well, is that not already verified for not being zero?

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented May 15, 2026

You’re right, I’ll remove the redundant zero-count checks where the function contract or earlier validation already guarantees that. I only need a non-zero denominator for the overflow expression, but if count is already guaranteed non-zero at that point, the guard can simply be the multiplication-overflow check.

@orbisai0security @claude
fix: remove redundant count != 0 guards in overflow checks
662cef4 
Both insert_range_into_vec and insert_range_fast_into_vec already
return early when count == 0, so the division-by-zero guard in the
overflow check is unnecessary.

Addresses review feedback on PR brightprogrammer#38.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
brightprogrammer
brightprogrammer reviewed May 15, 2026
View reviewed changes
Comment thread Source/Misra/Std/Container/Vec.c
}
}

if ((vec->length - start - count) != 0 && vec_aligned_size(vec, item_size) > SIZE_MAX / (vec->length - start - count)) {
Copy link
Copy Markdown
Owner

@brightprogrammer brightprogrammer May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the (vec->length - start - count) != 0 check is also redundant, MemMove returns early if provided length to move is 0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brightprogrammer brightprogrammer brightprogrammer left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orbisai0security @brightprogrammer