See slides

Some digressions from the slides:

An example of an intentional overflow
    address and sizes are represented as unsigned
    natural way to check if an size is too big is:   a + s < a
    if a + s is smaller than a, then a + s much have overflowed, and s is too big.
    common idiom in C

Averaging two unsigned integers:
    is it ok to write (a+b)/2   (No:  if a is big, a+b overflows)
    what is the right way?
       unsigned int average = (a / 2) + (b / 2) + (a & b & 1); 
       (a & b & 1) deals with the case that both a and b are odd.

How to write a correct check for malloc(a + n * b)?
     n > ULONG_MAX/b?  (No)
     n > ULONG_MAX/b - a?   (No)
     n > (ULONG_MAX-a)/b