Gadgets and Technology Push

Right back on the new year with a lot of things, first I just realize the feel of Zune , is just got my baby Zune from US, while in Europe will be in next 2

years, so I love it, really, in the car on snowboarding brake, at office.

On the other funny side , just begin full migration and test on Vista x64, first quite surprise on the Volume License activations and the possibility of accession machine resources when it expire, by let’s call it feature "Access Machine with less functionality". After click on that item, my Vista open the IE 7, was enough to get control of an admin command console and to windows explorer with admin rights, so I just close the handle of the activation client using Process explorer and I use it. But that will be enough for someone that have good knowledge how to disable the activation dll’s and to clear the system protection. So will never ask again for it, but that way is for the bad guys.

Something new regarding the new generation of coding bug is there MS07-004


The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically detects integer overflows at runtime. All of Windows Vista is compiled with this compiler.

Raymond Chen pointed out last year (, there is a potential integer overflow when calling operator::new. The C++ compiler in Visual Studio 2005 automatically generates defensive code to mitigate this potential vulnerability.


Code like this:


class CFoo {


      CFoo() {m_p = NULL;}


      void *m_p;



void *func(size_t count) {

      if (!count) return NULL;

      return new CFoo[count];



When compiled with VS2005, yields output like this:


; _count$ = esi


; 14   :    if (!count) return NULL;


  00000     85 f6       test esi, esi

  00002     74 36       je   SHORT $LN4@func


; 15   :    return new CFoo[count];


  00004     33 c9       xor  ecx, ecx

  00006     8b c6       mov  eax, esi

  00008     ba 04 00 00 00    mov  edx, 4

  0000d     f7 e2       mul  edx

  0000f     0f 90 c1    seto cl

  00012     f7 d9       neg  ecx

  00014     0b c8       or   ecx, eax

  00016     51          push ecx

  00017     e8 00 00 00 00    call ??2@YAPAXI@Z     ; operator new


As you can see (assuming you can read assembly code!) the multiply occurs (mul edx) and then the CL register is set or not set depending on the value if the overflow flag. Now here’s the funky part, ECX will end up being 0x00000000 or 0xFFFFFFFF, and because of the next operation (or ecx) the ECX register will either be 0xFFFFFFFF or the value held in EAX, which is result of the initial multiply. This is then passed to operator::new which will fail in the face of 2^N-1 by returning NULL or throwing an exception.


It’s better to fail, and potentially crash the application, than have an integer overflow that may lead to code execution.


Of course, the correct solution is get the code right in the first place by performing good arithmetic hygiene, and in this case, restrict the maximum number of objects you’ll create:


void *func(size_t count) {

      if (!count || count > MAX_FOO_ALLOWED) return NULL;

      return new CFoo[count];



I will begin a new week by migrating some drivers to vista and longhorn WDK, let see what will bring new.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s