On Thu, Oct 7, 2021 at 5:11 AM Tony Stead <thst...@gmail.com> wrote: > > I have been using the Integer class for some big number operations and seem > to have found a buffer overflow in at least the Integer::And routine, I have > not yet inspected any more.. > > Extract from integer.cpp > > // This is a bit operation. We set sign to POSITIVE, so there's no need to > // worry about negative zero. Also see http://stackoverflow.com/q/11644362. > Integer Integer::And(const Integer& t) const > { > if (this == &t) > { > return AbsoluteValue(); > } > else if (reg.size() >= t.reg.size()) > { > Integer result(t); > AndWords(result.reg, reg, t.reg.size()); > > result.sign = POSITIVE; > return result; > } > else // reg.size() < t.reg.size() > { > Integer result(*this); > AndWords(result.reg, t.reg, reg.size()); > > result.sign = POSITIVE; > return result; > } > } > > The issue is casued in the temporary result variable. When result copies t > or this in its constructor, it calculates the minimum size required to fit > the current number in t or this. If the top order bits of t or this have > gone zero it will allocate less bytes than the size of t or this. However > the following AndWords routine performs a copy using the size of the original > number, either t or this. > > Changing the value to result.reg.size() appears to fix the issue at least for > my use case.
Thanks Tony. Do you have a reproducer? I'd like to look at it. We have test cases setup and they are run under the sanitizers. I don't recall seeing a finding. We might be missing a test case for it, however. Jeff -- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/CAH8yC8nqkhmT7y8vZ%3DXAgb16qPhRC6MPcQZM52bWKBPA%3DdZO3A%40mail.gmail.com.