On Thu, Oct 7, 2021 at 5:11 AM Tony Stead <thst...@gmail.com> wrote:
>
> I have been using the Integer class for some big number operations and seem 
> to have found a buffer overflow in at least the Integer::And routine, I have 
> not yet inspected any more..
>
> Extract from integer.cpp
>
> // This is a bit operation. We set sign to POSITIVE, so there's no need to
> // worry about negative zero. Also see http://stackoverflow.com/q/11644362.
> Integer Integer::And(const Integer& t) const
> {
> if (this == &t)
> {
> return AbsoluteValue();
> }
> else if (reg.size() >= t.reg.size())
> {
> Integer result(t);
> AndWords(result.reg, reg, t.reg.size());
>
> result.sign = POSITIVE;
> return result;
> }
> else // reg.size() < t.reg.size()
> {
> Integer result(*this);
> AndWords(result.reg, t.reg, reg.size());
>
> result.sign = POSITIVE;
> return result;
> }
> }
>
> The issue is casued in the temporary result variable.  When result copies t 
> or this in its constructor, it calculates the minimum size required to fit 
> the current number in t or this.  If the top order bits of t or this have 
> gone zero it will allocate less bytes than the size of t or this.  However 
> the following AndWords routine performs a copy using the size of the original 
> number, either t or this.
>
> Changing the value to result.reg.size() appears to fix the issue at least for 
> my use case.

Thanks Tony.

Do you have a reproducer? I'd like to look at it.

We have test cases setup and they are run under the sanitizers. I
don't recall seeing a finding. We might be missing a test case for it,
however.

Jeff

-- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/cryptopp-users/CAH8yC8nqkhmT7y8vZ%3DXAgb16qPhRC6MPcQZM52bWKBPA%3DdZO3A%40mail.gmail.com.

Reply via email to