On Fri, Oct 8, 2021 at 12:40 PM Tony Stead <thst...@gmail.com> wrote: > > Hi, > > Sorry I hadn't noticed your response. > > I have created a fairly simple demonstration. In doing so I realise you may > need to manipulate two integers to create the problem.. But this triggers > the issue. > > // To cause the overrun we need to manipulate two integers that then cross a > 64 bit boundary. > // In addition they need to be positioned such that they cross a boundary in > the lookup table within > // RoundupSizeTable table in integer.cpp.. > > //------------------------------ > // static const unsigned int RoundupSizeTable[] = {2, 2, 2, 4, 4, 8, 8, 8, 8}; > // > //static inline size_t RoundupSize(size_t n) > //{ > // if (n<=8) > // return RoundupSizeTable[n]; > // else if (n<=16) > // return 16; > // else if (n<=32) > // return 32; > // else if (n<=64) > // return 64; > // else > // return size_t(1) << BitPrecision(n-1); > //} > //------------------------------- > > // With the following number we will downsize from 5 lots of 64 bits to 4, > making the lookup > // in roundup table cross from 8 to 4. > std::uint8_t bitstream[] = > { 0x01, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; > CryptoPP::Integer bigint1(bitstream, sizeof(bitstream)); > CryptoPP::Integer bigint2(bitstream, sizeof(bitstream)); > > // Bit shift to top bits are zeroised, this means that the CountWords > algorithm will later ignore leading zero bytes. > // I figure you could probably also use substract here, anything that does > not reallocate the reg buffer. > bigint1 >>= 1; > bigint2 >>= 1; > > // Now perform one of the vulnerable manipulations. > // It is within this operator that a new integer is allocated with the > reduced buffer size, but > // the full length of one of the original integers is copied into the buffer. > auto result = bigint2 & bigint1; > > Hope this helps, let me know if I can help any further.
Thanks. Do you have a *.cpp file I can compile and run? Jeff -- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/CAH8yC8nzw0xnEU0N9Qp_usfpsyddkgtEDPWmT-iS4Cs8tyO01A%40mail.gmail.com.