...
The following sections examine specific operations that are susceptible to unsigned integer wrap. When operating on small integer types (smaller than int), integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Make sure you understand integer conversion rules before trying to implement secure arithmetic operations (see INT02-AC. Understand integer conversion rules).
Integer values that originate from untrusted sources must not be allowed to wrap if they are used in any of the following ways:
...
| Wiki Markup |
|---|
The Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer wrap vulnerability resulting from an unsigned integer wrap during the multiplication of the {{signed int}} value {{pen->num_vertices}} and the {{size_t}} value {{sizeof(cairo_pen_vertex_t)}} \[[VU#551436|AA. C References#VU551436]\]. The {{signed int}} operand is converted to {{unsigned int}} prior to the multiplication operation (see [INT02-AC. Understand integer conversion rules]). |
...