# Re: [cryptopp-users] Buffer Overflow in Integer.cpp

```Hi,

```
I have created a fairly simple demonstration.  In doing so I realise you
may need to manipulate two integers to create the problem..  But this
triggers the issue.

// To cause the overrun we need to manipulate two integers that then cross
a 64 bit boundary.
// In addition they need to be positioned such that they cross a boundary
in the lookup table within
// RoundupSizeTable table in integer.cpp..

//------------------------------
// static const unsigned int RoundupSizeTable[] = {2, 2, 2, 4, 4, 8, 8, 8,
8};
//
//static inline size_t RoundupSize(size_t n)
//{
// if (n<=8)
// return RoundupSizeTable[n];
// else if (n<=16)
// return 16;
// else if (n<=32)
// return 32;
// else if (n<=64)
// return 64;
// else
// return size_t(1) << BitPrecision(n-1);
//}
//-------------------------------

// With the following number we will downsize from 5 lots of 64 bits to 4,
making the lookup
// in roundup table cross from 8 to 4.
std::uint8_t bitstream[] =
{ 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
CryptoPP::Integer bigint1(bitstream, sizeof(bitstream));
CryptoPP::Integer bigint2(bitstream, sizeof(bitstream));

// Bit shift to top bits are zeroised, this means that the CountWords
algorithm will later ignore leading zero bytes.
// I figure you could probably also use substract here, anything that does
not reallocate the reg buffer.
bigint1 >>= 1;
bigint2 >>= 1;

// Now perform one of the vulnerable manipulations.
// It is within this operator that a new integer is allocated with the
reduced buffer size, but
// the full length of one of the original integers is copied into the
buffer.
auto result = bigint2 & bigint1;

Hope this helps, let me know if I can help any further.

Cheers,

Tony.

On Friday, 8 October 2021 at 05:32:17 UTC+1 Jeffrey Walton wrote:

> On Fri, Oct 8, 2021 at 12:02 AM Jeffrey Walton <nolo...@gmail.com> wrote:
> >
> > On Thu, Oct 7, 2021 at 5:11 AM Tony Stead <ths...@gmail.com> wrote:
> > >
> > > I have been using the Integer class for some big number operations and
> seem to have found a buffer overflow in at least the Integer::And routine,
> I have not yet inspected any more..
> > >
> > > ...
> > > The issue is casued in the temporary result variable. When result
> copies t or this in its constructor, it calculates the minimum size
> required to fit the current number in t or this. If the top order bits of t
> or this have gone zero it will allocate less bytes than the size of t or
> this. However the following AndWords routine performs a copy using the size
> of the original number, either t or this.
> > >
> > > Changing the value to result.reg.size() appears to fix the issue at
> least for my use case.
> >
> > Thanks Tony.
> >
> > Do you have a reproducer? I'd like to look at it.
> >
> > We have test cases setup and they are run under the sanitizers. I
> > don't recall seeing a finding. We might be missing a test case for it,
> > however.
>
> By the way, here's the test data we use for testing the integer
> operations. It was generated using Java, so you should get the same
> result between Crypto++ and Java. You can find the Java program at
> http://github.com/weidai11/cryptopp/issues/336.
>
> https://github.com/weidai11/cryptopp/blob/master/validat2.cpp#L34
>
> Jeff
>

--
You received this message because you are subscribed to the Google Groups
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email