Arithmetic Overflow
In a similar vain to Buffer Overflow Attack, thanks to 2s Complement Representation, if you add 1 to you get .
Example:
int catvars(char *buf1, char *buf2,
unsigned int len1, unsigned int len2) {
char mybuf[256];
if ((len1 + len2) > 256) {
return -1;
}
memcpy(mybuf, buf1, len1);
memcpy(mybuf + len1, buf2, len2);
do_some_stuff(mybuf);
return 0;
}