"Maxwell Koo" firstname.lastname@example.org
Narf Industries (NRFIN)
This is a RPN calculator which allows calculations on several types of mathematical objects (integers, doubles and matrices).
Commands take the form of a 4-byte command identifier, followed by optional arguments. Commands may produce output but will always end in a 4-byte success code, 0 on success or -1 on failure.
When a command requires tagging the type of an operand, it will accept a 4-byte tag with 0 == integer, 1 == matrix, and 2 == double.
Internally, each type is represented using tagged values packed into a double, with integers and matrices represented by NaN values.
The following commands are available: - Push operand (integer, double or matrix) - Pop result (integer, double or matrix) - Clear stack - Add top two operands and push result - Subtract top two operands and push result - Multiply top two operands and push result - Divide top two operands and push result - Invert matrix and push result
The system does not correctly check for floating point overflow in all cases, allowing crafted operands which will lead to type confusion. Due to the manner in which matrices are stored (pointers packed into a double), corrupting a rpnval to contain an arbitrary address may allow for read/write access to a significant portion of the process' memory space.
There is also an out of bounds read due to reversal of two array indices in multiply, which can be triggered by multiplying to matrices such that memory outside of the data buffer of the result matrix is accessed.
Type confusion Divide by zero Integer overflow
CWE-125 Out of bound read CWE-190 Integer overflow or wraparound CWE-369 Divide by zero CWE-682 Incorrect calculation CWE-704 Incorrect type conversion or cast CWE-843 Access of resource using incompatible type
Curated by Lunge Technology, LLC. Questions or comments? Send us email