Example - 1

This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.

...public static final double price = 20.00;int quantity = currentUser.getAttribute("quantity");double total = price * quantity;chargeUser(total);...

The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited.

Example - 2

This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.

// /* board dimensions */// 
die("No integer passed: Die evil hacker!\n");
die("No integer passed: Die evil hacker!\n");
die("Value too large: Die evil hacker!\n");
...#define MAX_DIM 100...int m,n, error;board_square_t *board;printf("Please specify the board height: \n");error = scanf("%d", &m);if ( EOF == error ){}printf("Please specify the board width: \n");error = scanf("%d", &n);if ( EOF == error ){}if ( m > MAX_DIM || n > MAX_DIM ) {}board = (board_square_t*) malloc( m * n * sizeof(board_square_t));...

While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program.