{"id":40833,"date":"2004-01-29T07:00:00","date_gmt":"2004-01-29T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2004\/01\/29\/integer-overflow-in-the-new-operator\/"},"modified":"2004-01-29T07:00:00","modified_gmt":"2004-01-29T07:00:00","slug":"integer-overflow-in-the-new-operator","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20040129-00\/?p=40833","title":{"rendered":"Integer overflow in the new[] operator"},"content":{"rendered":"<p>Integer overflows are becoming a new security attack vector.\n<a HREF=\"http:\/\/msdn.microsoft.com\/library\/en-us\/dncode\/html\/secure01142004.asp\">\nMike Howard&#8217;s article discusses some of the ways you can protect\nyourself against integer overflow attacks<\/a>.<\/p>\n<p>\nOne attack vector he neglects to mention is integer overflow\nin the new[] operator. This operator performs an implicit multiplication\nthat is unchecked:\n<\/p>\n<pre>\nint *allocate_integers(int howmany)\n{\n    return new int[howmany];\n}\n<\/pre>\n<p>\nIf you study the code generation for this, it comes out to\n<\/p>\n<pre>\n  mov  eax, [esp+4] ; eax = howmany\n  shl  eax, 2       ; eax = howmany * sizeof(int)\n  push eax\n  call operator new ; allocate that many bytes\n  pop  ecx\n  retd 4\n<\/pre>\n<p>\nNotice that the multiplication by sizeof(int) is not checked\nfor overflow. Somebody can trick you into under-allocating\nmemory by passing a value like howmany = 0x40000001.\nFor larger structures, multiplication overflow happens sooner.\n<\/p>\n<p>\nLet&#8217;s look at a slightly longer example:\n<\/p>\n<pre>\nclass MyClass {\npublic:\n  MyClass(); \/\/ constructor\n  int stuff[256];\n};\nMyClass *allocate_myclass(int howmany)\n{\n  return new MyClass[howmany];\n}\n<\/pre>\n<p>\nThis class also contains a constructor,\nso allocating an array of them involves\ntwo steps: allocate the memory, then\nconstruct each object.\nThe allocate_myclass function compiles\nto this:<\/p>\n<pre>\n  mov  eax, [esp+4] ; howmany\n  shl  eax, 10      ; howmany * sizeof(MyClass)\n  push esi\n  push eax\n  call operator new ; allocate that many bytes\n  mov  esi, eax\n  test esi, esi\n  pop  ecx\n  je   fail\n  push OFFSET MyClass::MyClass\n  push [esp+12]     ; howmany\n  push 1024         ; sizeof(MyClass)\n  push esi          ; memory block\n  call `vector constructor iterator`\n  mov  eax, esi\n  jmp  loop\nfail:\n  xor  eax, eax\ndone:\n  pop  esi\n  retd 4\n<\/pre>\n<p>\nThis function does an unchecked multiplication of\nthe size, then tries to allocate that many bytes,\nthen tells the vector constructor iterator to\ncall the constructor (MyClass::MyClass) that many\ntimes.\n<\/p>\n<p>\nIf somebody tricks you into calling\nallocate_myclass(0x200001), the multiplication\noverflows and only 1024 bytes are allocated.\nThis allocation succeeds, and then the vector\nconstructor tries to initialize 0x200001 of\nthose items, even though in reality only one\nof them got allocated.  So you walk off the end\nof the memory block and start corrupting memory.\n<\/p>\n<p>\nThat&#8217;s a bad thing.\n<\/p>\n<p>\nTo protect against this, you can wrap an integer\noverflow check around the array allocation.\n<\/p>\n<pre>\ntemplate&lt;typename T&gt;\nT* NewArray(size_t n)\n{\n  if (n &lt;= (size_t)-1 \/ sizeof(T))\n    return new T[n];\n  \/\/ n is too large - act as if we\n  \/\/ ran out of memory\n  return NULL;\n}\n<\/pre>\n<p>\nNote: If you use a throwing &#8220;new&#8221;, then replace\nthe &#8220;return NULL&#8221; with an appropriate throw.\n<\/p>\n<p>\nYou can now use this template to allocate\narrays in an overflow-safe manner.\n<\/p>\n<pre>\nMyClass *allocate_myclass(int howmany)\n{\n  return NewArray&lt;MyClass&gt;(howmany);\n}\n<\/pre>\n<p>\nThis generates the following code:<\/p>\n<pre>\n<font COLOR=\"red\">  push edi\n  mov  edi, [esp+8] ; howmany\n  cmp  edi, 4194303 ; overflow?\n  ja   overflow<\/font>\n  mov  eax, edi\n  shl  eax, 10\n  push esi\n  push eax\n  call operator new\n  mov  esi, eax\n  test esi, esi\n  pop  ecx\n  je   failed\n  push OFFSET MyClass::MyClass\n  push edi\n  push 1024\n  push esi\n  call\n  call `vector constructor iterator`\n  mov  eax, esi\n  jmp  done\nfailed:\n  xor  eax, eax\ndone:\n  pop  esi\n  jmp  exit\noverflow:\n  xor     eax, eax\nexit:\n  pop  edi\n  retd 4\n<\/pre>\n<p>\nNotice the new code that checks for a possible\ninteger multiplication overflow.\n<\/p>\n<p>\nBut how could you get tricked into an overflow situation?\n<\/p>\n<p>\nThe most common way of doing this is by reading the value out\nof a file or some other storage location. For example,\nif your code is parsing a file that has a section whose\nformat is &#8220;length followed by data&#8221;,\nsomebody could intentionally put an overflow-inducing value\ninto the &#8220;length&#8221; field, then get somebody else to try\nto load the file.\n<\/p>\n<p>\nThis is particularly dangerous if the filetype is something\nthat is generally considered &#8220;not dangerous&#8221;, like a JPG.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Integer overflows are becoming a new security attack vector. Mike Howard&#8217;s article discusses some of the ways you can protect yourself against integer overflow attacks. One attack vector he neglects to mention is integer overflow in the new[] operator. This operator performs an implicit multiplication that is unchecked: int *allocate_integers(int howmany) { return new int[howmany]; [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-40833","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>Integer overflows are becoming a new security attack vector. Mike Howard&#8217;s article discusses some of the ways you can protect yourself against integer overflow attacks. One attack vector he neglects to mention is integer overflow in the new[] operator. This operator performs an implicit multiplication that is unchecked: int *allocate_integers(int howmany) { return new int[howmany]; [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/40833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=40833"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/40833\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=40833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=40833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=40833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}