I am writing a paper for my undergraduate degree on vulnerabilities in google chrome, on a recent Chrome bug blog this was reported:
bool SampleAuxiliaryInformationOffset::Parse(BoxReader* reader)
{
RCHECK(reader->ReadFullBoxHeader());
if (reader->flags() & 1)
RCHECK(reader->SkipBytes(8));
uint32_t count;
RCHECK(reader->Read4(&count) &&
reader->HasBytes(count * (reader->version() == 1 ? 8 : 4)));
offsets.resize(count);
for (uint32_t i = 0; i < count; i++)
{
if (reader->version() == 1)
{
RCHECK(reader->Read8(&offsets[i]));
}
else
{
RCHECK(reader->Read4Into8(&offsets[i]));
}
}
return true;
}
more info here https://bugs.chromium.org/p/chromium/issues/detail?id=679641
with the following description of how the overflow occurred:
"count is read from mp4 file, which is between 0x0 and 0xffffffff. when reader->version() == 1, count * 8 will integer overflow, which bypass reader->HasBytes RCHECK. What's more, offsets is defined as std::vector offsets;, offsets.resize(count) will malloc count * sizeof(uint64_t) bytes, this will also overflow, leading to out-of-bounds write."
My question is regarding the offsets.resize(count) overflow, i am not quite sure why it does overflow, i know count can be up to (2^32) so 4 bytes and sizeof(uint64_t)is 8 bytes meaning 32 bytes allocated with malloc. why does this overflow?
