Integer Overflows:

Typically integer overflows do not allow to directly overwrite the memory. 
Instead, integers are usually used to  perform computational checks or
are used as auxiliary function arguments. 
(there are other uses for integers which could also lead to vulnerabilities.
See http://www.phrack.com/issues.html?issue=60&id=10) 

Let's see some examples of improper integer handling:

#### Example 1 #### 

In the example below, the command line argument is first stored in an integer value
and then assigned to a short. However, the size of short is only 2 bytes, whereas 
integer is 4 bytes. Hence, the integer will be trunkated. As a result, it is possible
to bypass the computation check and stored more into the buffer than it can fit. 
From this moment, a regular buffer flow exploit can be performed. 

/* width1.c - exploiting a trivial widthness bug */
#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]){
		unsigned short s;
		int i;
		char buf[80];
		
		if(argc < 3){
		      return -1;
		}
		
		i = atoi(argv[1]);
		s = i;
		
		if(s >= 80){            /* [w1] */
		      printf("Oh no you don't!\n");
		      return -1;
		}
		
		printf("s = %d\n", s);
		
		memcpy(buf, argv[2], i);
		buf[i] = '\0';
		printf("%s\n", buf);
		
		return 0;
}
    
#### Example 2 ####
    

int get_two_vars(int sock, char *out, int len){
			char buf1[512], buf2[512];
			unsigned int size1, size2;
			int size;
			
			if(recv(sock, buf1, sizeof(buf1), 0) < 0){
			    return -1;
			}
			if(recv(sock, buf2, sizeof(buf2), 0) < 0){
			    return -1;
			}
			
			/* packet begins with length information */
			memcpy(&size1, buf1, sizeof(int));
			memcpy(&size2, buf2, sizeof(int));
			
			size = size1 + size2;       /* [1] */
			
			if(size > len){             /* [2] */
			    return -1;
			}
			
			memcpy(out, buf1, size1);
			memcpy(out + size1, buf2, size2);
			
			return size;
}

This example shows what can sometimes happen in network daemons, especially
when length information is passed as part of the packet (in other words, it
is supplied by an untrusted user).  The addition at [1], used to check that
the data does not exceed the bounds of the output buffer, can be abused by
setting size1 and size2 to values that will cause the size variable to wrap
around to a negative value.  Example values could be:
    size1 = 0x7fffffff
    size2 = 0x7fffffff
    (0x7fffffff + 0x7fffffff = 0xfffffffe (-2)).
When this happens, the bounds check at [2] passes, and a lot more of the
out buffer can be written to than was intended (in fact, arbitrary memory
can be written to, as the (out + size1) dest parameter in the second memcpy
call allows us to get to any location in memory).