Skip to content

Fix integer overflow in ArrayList.IListWrapper.BinarySearch and improve test coverage #123806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fix integer overflow in ArrayList.IListWrapper.BinarySearch and improve test coverage #123806

Copilot wants to merge 6 commits into from
+187 −2

Conversation

Copy link
Contributor

Copilot AI commented Jan 30, 2026
edited by vcsjones
Loading

Description

The IListWrapper.BinarySearch implementation computed the midpoint as mid = (lo + hi) / 2, which overflows when searching large arrays (e.g., byte[int.MaxValue / 2 + 2]). This PR fixes the overflow issue and significantly improves test coverage for the BinarySearch method.

Fixes #123804

Changes

  • Replace overflow-prone midpoint calculation with the same approach used in Array.GetMedian: mid = lo + ((hi - lo) >> 1)
  • Move mid declaration inside the loop
  • Add test BinarySearch_LargeList_NoIntegerOverflow that validates the fix using a simulated large IList to avoid memory allocation issues in CI
  • Add 7 comprehensive tests to improve BinarySearch coverage:
    • BinarySearch_EmptyList: Test searching in empty list
    • BinarySearch_SingleElement: Test single element edge case
    • BinarySearch_BoundaryConditions: Test search at start/end of ranges
    • BinarySearch_PartialRangeSearch: Test searching within subranges
    • BinarySearch_ComparerThrowsException: Test exception propagation from comparer
    • BinarySearch_UnsortedList: Test behavior on unsorted list (should not crash)
    • BinarySearch_TwoElementList: Test two-element edge case
  • Add ThrowingComparer helper class for exception testing
  • Add FakeLargeIList helper class that simulates an array of int.MaxValue / 2 + 2 elements without actually allocating memory, making it suitable for CI environments

This matches the pattern already used in Array.BinarySearch and prevents overflow by ensuring (hi - lo) remains in bounds before the division.

// Before (overflows)
int mid = (lo + hi) / 2;

// After (overflow-safe)
int mid = lo + ((hi - lo) >> 1);

Additional Investigation

Investigated other types in the repository for similar overflow risks. Found that:

  • Array.cs and ArraySortHelper.cs already use the safe pattern
  • ExpressionParser.cs (System.Data.Common) has the unsafe pattern but very low risk (small fixed array)
  • ConcurrentSet.cs (TraceLogging) has the unsafe pattern with medium theoretical risk

Testing

  • ✅ All 20 BinarySearch tests pass (12 original + 8 new)
  • ✅ Comprehensive coverage of all 3 method overloads
  • ✅ Edge cases covered: empty lists, single/two element lists
  • ✅ Boundary conditions and partial range searches tested
  • ✅ Exception handling verified
  • ✅ Code review completed with no issues
  • ✅ Security scan completed

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 30, 2026

Tagging subscribers to this area: @dotnet/area-system-collections
See info in area-owners.md if you want to be subscribed.

@vcsjones vcsjones mentioned this pull request Jan 30, 2026
Closed
7 tasks
@vcsjones
Fix ArrayList IListWrapper BinarySearch integer overflow
f1ac6d4 
Co-authored-by: vcsjones <361677+vcsjones@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix issue 123804 in runtime Fix integer overflow in ArrayList.IListWrapper.BinarySearch Jan 30, 2026
@vcsjones vcsjones marked this pull request as ready for review January 30, 2026 22:53
Copilot AI review requested due to automatic review settings January 30, 2026 22:53
Copilot AI reviewed Jan 30, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an integer overflow vulnerability in ArrayList.IListWrapper.BinarySearch by replacing the overflow-prone midpoint calculation with the overflow-safe pattern already used throughout the .NET runtime.

Changes:

  • Replace mid = (lo + hi) / 2 with mid = lo + ((hi - lo) >> 1) to prevent integer overflow when searching large arrays
  • Move the mid variable declaration inside the while loop to limit its scope

This was referenced Jan 30, 2026
Open
Open
@stephentoub
Add test for BinarySearch integer overflow fix
3040bd0 
Add BinarySearch_LargeList_NoIntegerOverflow test that verifies the fix handles large list indices correctly without integer overflow. The test uses a simulated large list to avoid memory allocation issues in CI.

Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Copilot AI requested a review from stephentoub January 31, 2026 04:08
stephentoub
stephentoub reviewed Jan 31, 2026
View reviewed changes
Copilot AI and others added 2 commits January 31, 2026 04:31
@stephentoub
Add comprehensive test coverage for ArrayList.BinarySearch
f9c7238 
Add 7 additional tests to improve coverage:
- BinarySearch_EmptyList: Test searching in empty list
- BinarySearch_SingleElement: Test single element edge case
- BinarySearch_BoundaryConditions: Test search at start/end of ranges
- BinarySearch_PartialRangeSearch: Test searching within subranges
- BinarySearch_ComparerThrowsException: Test exception propagation from comparer
- BinarySearch_UnsortedList: Test behavior on unsorted list (should not crash)
- BinarySearch_TwoElementList: Test two-element edge case

All 20 BinarySearch tests now pass.

Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Remove unused variable in BinarySearch_UnsortedList test
e5ac50f 
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Copilot AI changed the title Fix integer overflow in ArrayList.IListWrapper.BinarySearch Fix integer overflow in ArrayList.IListWrapper.BinarySearch and improve test coverage Jan 31, 2026
Copilot AI requested a review from stephentoub January 31, 2026 04:33
@stephentoub
Rename LargeIList to FakeLargeIList per feedback
0ecedca 
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@stephentoub stephentoub Awaiting requested review from stephentoub

At least 1 approving review is required to merge this pull request.

Assignees

@vcsjones vcsjones

Copilot code review Copilot

Labels

area-System.Collections

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ArrayList IListWrapper integer overflow in BinarySearch

4 participants

@stephentoub @vcsjones @jkotas