CWE-190 Integer Overflow

Description

Integer Overflow

Reference: https://cwe.mitre.org/data/definitions/190.html

OWASP Category: A03:2021 – Injection

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Standard arithmetic can overflow silently
int userQuantity = Integer.parseInt(request.getParameter("quantity"));
int unitPrice = 100;
int total = userQuantity * unitPrice;  // Overflow wraps to negative!

// Array allocation with overflow
int size = width * height;  // Can overflow
byte[] buffer = new byte[size];

Why it's vulnerable: This pattern is vulnerable to Integer Overflow

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use Math.xxxExact() methods that throw on overflow
int userQuantity = Integer.parseInt(request.getParameter("quantity"));
int unitPrice = 100;

try {
    int total = Math.multiplyExact(userQuantity, unitPrice);
    int withTax = Math.addExact(total, Math.multiplyExact(total, taxRate) / 100);
} catch (ArithmeticException e) {
    throw new IllegalArgumentException("Quantity too large", e);
}

// For array allocations
try {
    int size = Math.multiplyExact(width, height);
    if (size > MAX_ALLOWED_SIZE) {
        throw new IllegalArgumentException("Size exceeds limit");
    }
    byte[] buffer = new byte[size];
} catch (ArithmeticException e) {
    throw new IllegalArgumentException("Dimensions cause overflow", e);
}

Why it's secure: Implements proper protection against Integer Overflow

---

Detection Pattern

Look for these patterns in your codebase:

# Find arithmetic with parsed input
grep -rn "parseInt\|parseLong" --include="*.java" -A5 | grep -E "\*|\+"

---

Remediation Steps

1. Use Math.addExact(), Math.subtractExact(), Math.multiplyExact()

2. Catch ArithmeticException and handle gracefully

3. Validate input ranges before arithmetic operations

4. Use BigInteger for arbitrary precision when needed

---

Key Imports

import java.lang.Math;

import java.math.BigInteger;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-190 vulnerability
Resolve Integer Overflow issue
Secure this Java code against integer overflow
SAST reports CWE-190

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-190: Integer Overflow

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07