Re: Integer overflow in operator new

[J.C. Pizarro]

2007/4/9, Robert Dewar <[EMAIL PROTECTED]>:

J.C. Pizarro wrote:

> The multiply is signed. It is need more researching a little bit.

So what, the low order 32 bits are unaffected. I think this is just
confusion on your part!

Yes, i accidently eliminated the lines containing the point '.' for
removing redundant info.

------------------------------------------------------------------------------

void *__allocate_array(size_t num, size_t size, size_t max_num) {
     if (num > max_num) return mynewXX(~size_t(0));
     return mynewXX(size*num);
}

_Z16__allocate_arrayjjj:
.LFB6:
        movl    4(%esp), %edx
        cmpl    12(%esp), %edx
        movl    8(%esp), %eax
        jbe     .L11
        movl    $-1, 4(%esp)
        jmp     .L15
.L11:
        imull   %edx, %eax
        movl    %eax, 4(%esp)
.L15:
        jmp     _Z7mynewXXj

------------------------------------------------------------------------------

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

/* Objective: to detect numbers that are vulnerable to __allocate_array(..).
*
* Mainly about the effects of "imull %edx, %eax".
* With 3 assumptions for good effects to research.
*
* All quick & dirty by J.C. Pizarro
*/

size_t my_num, my_size, my_max_num;
void* mynewXX(size_t size) {
  unsigned long long mult;

  if (my_num > my_max_num) {
     // size is ~size_t(0)
  } else {
     if (size > 200) return NULL; // 3rd assumption of that used size
<= 200 bytes of memory
     mult = (unsigned long long)my_size * (unsigned long long)my_num;
     if ((mult >= 0x0000000080000000ULL) || (((unsigned int)size) >=
0x80000000)
      || (mult > size)) {
         printf("oh!: num=%u; size=%u; max_num=0x%08X; num*size=%u (0x%08X);
long=%llu (0x%08X%08X)\n",
                my_num,
                my_size,
                my_max_num,
                size,size,
                mult,((unsigned int)(mult>>32)),((unsigned int)(mult&~0)));
         fflush(stdout);
     }
  }
  return NULL;
}

void *__allocate_array(size_t num, size_t size, size_t max_num) {
     if (num > max_num) return mynewXX(~size_t(0));
     return mynewXX(size*num);
}

void randattack_allocate_array_start_until_infinity(void) {
  srand(time(NULL));
  while(1) {
     my_num = rand();
     my_size = rand();
     my_max_num = (rand() << 29) + ((~0)>>(32-29));
     my_size &= 0x0000003F; // 1st assumption of that my_size <= 63
bytes of element
     if (my_num <= my_max_num)   // 2nd assumption of that my_num is
<= my_max_num
        __allocate_array(my_num,my_size,my_max_num);
  }
}

int main(int argc,char *argv[]) {
  randattack_allocate_array_start_until_infinity();
}

------------------------------------------------------------------------------

# gcc version 4.1.3 20070326 (prerelease)
oh!: num=715827888; size=36; max_num=0x9FFFFFFF; num*size=192
(0x000000C0); long=25769803968 (0x00000006000000C0)
oh!: num=1762037869; size=39; max_num=0xDFFFFFFF; num*size=155
(0x0000009B); long=68719476891 (0x000000100000009B)
oh!: num=460175073; size=28; max_num=0x5FFFFFFF; num*size=156
(0x0000009C); long=12884902044 (0x000000030000009C)
oh!: num=1073741826; size=28; max_num=0xDFFFFFFF; num*size=56
(0x00000038); long=30064771128 (0x0000000700000038)
...

------------------------------------------------------------------------------

J.C. Pizarro

randattack_allocate_array_april2007.tar.gz
Description: GNU Zip compressed data