I may not be using my eyes properly, but I cannot see how to attach files
to this...
Shall I email you it? Is just the cpp OK or do you want a makefile etc.?
Makefile will take a little longer as I will need to set that up.... And
my wife is demanding attention so may not be able to do it immediately..
On Friday, 8 October 2021 at 18:00:26 UTC+1 Jeffrey Walton wrote:
> On Fri, Oct 8, 2021 at 12:40 PM Tony Stead <ths...@gmail.com> wrote:
> >
> > Hi,
> >
> > Sorry I hadn't noticed your response.
> >
> > I have created a fairly simple demonstration. In doing so I realise you
> may need to manipulate two integers to create the problem.. But this
> triggers the issue.
> >
> > // To cause the overrun we need to manipulate two integers that then
> cross a 64 bit boundary.
> > // In addition they need to be positioned such that they cross a
> boundary in the lookup table within
> > // RoundupSizeTable table in integer.cpp..
> >
> > //------------------------------
> > // static const unsigned int RoundupSizeTable[] = {2, 2, 2, 4, 4, 8, 8,
> 8, 8};
> > //
> > //static inline size_t RoundupSize(size_t n)
> > //{
> > // if (n<=8)
> > // return RoundupSizeTable[n];
> > // else if (n<=16)
> > // return 16;
> > // else if (n<=32)
> > // return 32;
> > // else if (n<=64)
> > // return 64;
> > // else
> > // return size_t(1) << BitPrecision(n-1);
> > //}
> > //-------------------------------
> >
> > // With the following number we will downsize from 5 lots of 64 bits to
> 4, making the lookup
> > // in roundup table cross from 8 to 4.
> > std::uint8_t bitstream[] =
> > { 0x01,
> > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
> > CryptoPP::Integer bigint1(bitstream, sizeof(bitstream));
> > CryptoPP::Integer bigint2(bitstream, sizeof(bitstream));
> >
> > // Bit shift to top bits are zeroised, this means that the CountWords
> algorithm will later ignore leading zero bytes.
> > // I figure you could probably also use substract here, anything that
> does not reallocate the reg buffer.
> > bigint1 >>= 1;
> > bigint2 >>= 1;
> >
> > // Now perform one of the vulnerable manipulations.
> > // It is within this operator that a new integer is allocated with the
> reduced buffer size, but
> > // the full length of one of the original integers is copied into the
> buffer.
> > auto result = bigint2 & bigint1;
> >
> > Hope this helps, let me know if I can help any further.
>
> Thanks.
>
> Do you have a *.cpp file I can compile and run?
>
> Jeff
>
--
You received this message because you are subscribed to the Google Groups
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cryptopp-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/cryptopp-users/7e28672b-d576-4196-bb0c-909fe0b25f2cn%40googlegroups.com.
