On Fri, Oct 8, 2021 at 12:40 PM Tony Stead <thst...@gmail.com> wrote:
>
> Hi,
>
> Sorry I hadn't noticed your response.
>
> I have created a fairly simple demonstration.  In doing so I realise you may 
> need to manipulate two integers to create the problem..  But this triggers 
> the issue.
>
> // To cause the overrun we need to manipulate two integers that then cross a 
> 64 bit boundary.
> // In addition they need to be positioned such that they cross a boundary in 
> the lookup table within
> // RoundupSizeTable table in integer.cpp..
>
> //------------------------------
> // static const unsigned int RoundupSizeTable[] = {2, 2, 2, 4, 4, 8, 8, 8, 8};
> //
> //static inline size_t RoundupSize(size_t n)
> //{
> // if (n<=8)
> // return RoundupSizeTable[n];
> // else if (n<=16)
> // return 16;
> // else if (n<=32)
> // return 32;
> // else if (n<=64)
> // return 64;
> // else
> // return size_t(1) << BitPrecision(n-1);
> //}
> //-------------------------------
>
> // With the following number we will downsize from 5 lots of 64 bits to 4, 
> making the lookup
> // in roundup table cross from 8 to 4.
> std::uint8_t bitstream[] =
> { 0x01,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
> CryptoPP::Integer bigint1(bitstream, sizeof(bitstream));
> CryptoPP::Integer bigint2(bitstream, sizeof(bitstream));
>
> // Bit shift to top bits are zeroised, this means that the CountWords 
> algorithm will later ignore leading zero bytes.
> // I figure you could probably also use substract here, anything that does 
> not reallocate the reg buffer.
> bigint1 >>= 1;
> bigint2 >>= 1;
>
> // Now perform one of the vulnerable manipulations.
> // It is within this operator that a new integer is allocated with the 
> reduced buffer size, but
> // the full length of one of the original integers is copied into the buffer.
> auto result = bigint2 & bigint1;
>
> Hope this helps, let me know if I can help any further.

Thanks.

Do you have a *.cpp file I can compile and run?

Jeff

-- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/cryptopp-users/CAH8yC8nzw0xnEU0N9Qp_usfpsyddkgtEDPWmT-iS4Cs8tyO01A%40mail.gmail.com.

Reply via email to