Skip to content

Add regression tests for Int64 array bounds check bypass#32

Closed
EricGrange wants to merge 1 commit into
masterfrom
claude/audit-compiler-security-H4vpq
Closed

Add regression tests for Int64 array bounds check bypass#32
EricGrange wants to merge 1 commit into
masterfrom
claude/audit-compiler-security-H4vpq

Conversation

@EricGrange
Copy link
Copy Markdown
Owner

@EricGrange EricGrange commented May 15, 2026

Summary

This PR adds two regression test cases that verify proper bounds checking for array access with Int64 indices that exceed 32-bit range.

Key Changes

  • array_bounds_int64_static.pas: Red test for static array bounds-check bypass where indices with values >= 2^32 incorrectly truncate to their low 32 bits, bypassing range validation
  • array_bounds_int64_dynamic.pas: Red test for dynamic array bounds-check bypass through non-variable base expressions with Int64 indices
  • array_bounds_int64_static.txt and array_bounds_int64_dynamic.txt: Expected output files showing that out-of-bounds exceptions should be raised for all out-of-range indices

Notable Details

These tests expose a critical security issue in array indexing:

  • TStaticArrayExpr.GetIndex() evaluates indices as Int64 but truncates to 32-bit Integer before bounds checking, allowing indices like 2^32 to silently access wrong array elements
  • TDynamicArrayExpr evaluation methods similarly declare indices as 32-bit Integer despite receiving Int64 values, bypassing bounds validation for high-value indices
  • The tests verify both read and write operations should raise exceptions for out-of-bounds Int64 indices

https://claude.ai/code/session_013gnFMXw8LzjgJz5eHcyYW6

@claude
Red tests for Int64 index bounds-check bypass on arrays
e730460 
TStaticArrayExpr.GetIndex and TDynamicArrayExpr.EvalAsXxx evaluate the
index via EvalAsInteger (Int64) but store it into a 32-bit local
`Integer` variable before performing the Cardinal-based range check.
Any index whose low 32 bits land inside the array length silently
bypasses the check and reads/writes the wrong element, so

  a[$100000000]      reads a[0]
  a[$100000002] := v writes a[2]

instead of raising "Upper bound exceeded". Add two ArrayPass scripts
that assert the safe behaviour (out-of-bounds exception raised) so the
suite goes red until the truncation is fixed at the bounds-check site.
@EricGrange EricGrange closed this May 15, 2026
@EricGrange EricGrange deleted the claude/audit-compiler-security-H4vpq branch May 15, 2026 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EricGrange @claude