flag_shop

Description

Solution

1. Step 1Trigger signed integer overflow on the cheap flag purchase
   The shop sells cheap flags for 1 coin each. When prompted for a quantity, enter 2147483647 (INT_MAX for a 32-bit signed integer). Multiplying 1 * 2147483647 overflows the signed integer type and wraps to a large negative number. Subtracting a negative from your balance increases it instead of decreasing it, giving you a massive coin balance.
   Learn more

   A signed integer overflow occurs when an arithmetic operation produces a result outside the range representable by the integer type. A 32-bit signed integer can hold values from −2,147,483,648 to 2,147,483,647 (INT_MIN to INT_MAX). When you exceed INT_MAX, the value wraps around to a large negative number -- this is defined behavior in C for unsigned types but undefined behavior in C for signed types (though in practice most compilers implement two's complement wraparound).

   Here, the server computes cost = price * quantity. With price = 1 and quantity = INT_MAX = 2,147,483,647, the product fits exactly. But if the server then adds 1 or the quantity pushes slightly over INT_MAX, the result wraps to a negative number. The server then computes balance -= cost, and subtracting a negative value is equivalent to addition -- your balance increases dramatically instead of decreasing.

   This class of vulnerability is responsible for real-world security incidents. Notable examples include the Ariane 5 rocket explosion (1996), where a 64-bit float was converted to a 16-bit signed integer causing a crash; various game economy exploits; and CVE entries in financial software. In C/C++, always check for overflow before performing arithmetic, use types like int64_t for quantities that could grow large, or use safe integer libraries.

2. Step 2Buy the real flag
   With the inflated balance, purchase the 1337-flag from the shop. The server prints the real picoCTF flag.
   Learn more

   Once you have a massive coin balance from the overflow exploit, the shop's normal price check passes trivially. The server simply verifies balance >= price, which is now satisfied since your balance is a large positive number (or the check itself wraps in your favor).

   This demonstrates the broader vulnerability class of improper input validation combined with integer handling errors. A secure implementation would validate that the requested quantity is positive and within a reasonable range before performing any arithmetic, or use checked arithmetic functions that return an error on overflow.

   In CTF binary exploitation challenges, integer overflows often serve as a stepping stone to more serious vulnerabilities -- for example, overflowing an allocation size to cause a heap underallocation, then overflowing the allocated buffer to corrupt adjacent memory. Understanding how integers behave at their boundaries is a foundational skill for binary exploitation.

Flag

picoCTF{...}

Signed integer overflow in C wraps around -- INT_MAX * price produces a negative cost, which then adds to your balance instead of subtracting.