返回 Skill 列表
extension
分类: 开发与工程无需 API Key

cwe-190-integer-overflow

在需要修复Java代码中的CWE-190(整数溢出)漏洞时使用此技能。在静态应用安全测试结果、安全审查或修复整数溢出问题时触发。

person作者: jakexiaohubgithub

CWE-190 Integer Overflow

Description

Integer Overflow

Reference: https://cwe.mitre.org/data/definitions/190.html

OWASP Category: A03:2021 – Injection


Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Standard arithmetic can overflow silently
int userQuantity = Integer.parseInt(request.getParameter("quantity"));
int unitPrice = 100;
int total = userQuantity * unitPrice;  // Overflow wraps to negative!

// Array allocation with overflow
int size = width * height;  // Can overflow
byte[] buffer = new byte[size];

Why it's vulnerable: This pattern is vulnerable to Integer Overflow


Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use Math.xxxExact() methods that throw on overflow
int userQuantity = Integer.parseInt(request.getParameter("quantity"));
int unitPrice = 100;

try {
    int total = Math.multiplyExact(userQuantity, unitPrice);
    int withTax = Math.addExact(total, Math.multiplyExact(total, taxRate) / 100);
} catch (ArithmeticException e) {
    throw new IllegalArgumentException("Quantity too large", e);
}

// For array allocations
try {
    int size = Math.multiplyExact(width, height);
    if (size > MAX_ALLOWED_SIZE) {
        throw new IllegalArgumentException("Size exceeds limit");
    }
    byte[] buffer = new byte[size];
} catch (ArithmeticException e) {
    throw new IllegalArgumentException("Dimensions cause overflow", e);
}

Why it's secure: Implements proper protection against Integer Overflow


Detection Pattern

Look for these patterns in your codebase:

# Find arithmetic with parsed input
grep -rn "parseInt\|parseLong" --include="*.java" -A5 | grep -E "\*|\+"

Remediation Steps

  1. Use Math.addExact(), Math.subtractExact(), Math.multiplyExact()

  2. Catch ArithmeticException and handle gracefully

  3. Validate input ranges before arithmetic operations

  4. Use BigInteger for arbitrary precision when needed


Key Imports


import java.lang.Math;

import java.math.BigInteger;


Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code


Trigger Examples

Fix CWE-190 vulnerability
Resolve Integer Overflow issue
Secure this Java code against integer overflow
SAST reports CWE-190

Common Vulnerable Locations

| Layer | Files | Patterns | |-------|-------|----------|

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |


References


Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07