# Re: [cryptopp-users] Buffer Overflow in Integer.cpp

```On Fri, Oct 8, 2021 at 12:40 PM Tony Stead <thst...@gmail.com> wrote:
>
> Hi,
>
>
> I have created a fairly simple demonstration.  In doing so I realise you may
> need to manipulate two integers to create the problem..  But this triggers
> the issue.
>
> // To cause the overrun we need to manipulate two integers that then cross a
> 64 bit boundary.
> // In addition they need to be positioned such that they cross a boundary in
> the lookup table within
> // RoundupSizeTable table in integer.cpp..
>
> //------------------------------
> // static const unsigned int RoundupSizeTable[] = {2, 2, 2, 4, 4, 8, 8, 8, 8};
> //
> //static inline size_t RoundupSize(size_t n)
> //{
> // if (n<=8)
> // return RoundupSizeTable[n];
> // else if (n<=16)
> // return 16;
> // else if (n<=32)
> // return 32;
> // else if (n<=64)
> // return 64;
> // else
> // return size_t(1) << BitPrecision(n-1);
> //}
> //-------------------------------
>
> // With the following number we will downsize from 5 lots of 64 bits to 4,
> making the lookup
> // in roundup table cross from 8 to 4.
> std::uint8_t bitstream[] =
> { 0x01,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
> CryptoPP::Integer bigint1(bitstream, sizeof(bitstream));
> CryptoPP::Integer bigint2(bitstream, sizeof(bitstream));
>
> // Bit shift to top bits are zeroised, this means that the CountWords
> algorithm will later ignore leading zero bytes.
> // I figure you could probably also use substract here, anything that does
> not reallocate the reg buffer.
> bigint1 >>= 1;
> bigint2 >>= 1;
>
> // Now perform one of the vulnerable manipulations.
> // It is within this operator that a new integer is allocated with the
> reduced buffer size, but
> // the full length of one of the original integers is copied into the buffer.
> auto result = bigint2 & bigint1;
>
> Hope this helps, let me know if I can help any further.```
```
Thanks.

Do you have a *.cpp file I can compile and run?

Jeff

--
You received this message because you are subscribed to the Google Groups
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email