.text:000000018007F9E0 sub_18007F9E0   proc near               ; CODE XREF: sub_180080150+9↓p.text:000000018007F9E0                                         ; DATA XREF: .rdata:0000000180404750↓o ....text:000000018007F9E0.text:000000018007F9E0 Src             = byte ptr -1028h.text:000000018007F9E0 var_28          = qword ptr -28h.text:000000018007F9E0 arg_8           = qword ptr  10h.text:000000018007F9E0 arg_10          = qword ptr  18h.text:000000018007F9E0 arg_18          = qword ptr  20h.text:000000018007F9E0.text:000000018007F9E0 ; __unwind { // __GSHandlerCheck.text:000000018007F9E0                 push    rbx.text:000000018007F9E2                 push    rbp.text:000000018007F9E3                 push    r15.text:000000018007F9E5                 mov     eax, 1030h.text:000000018007F9EA                 call    _alloca_probe.text:000000018007F9EF                 sub     rsp, rax.text:000000018007F9F2                 mov     rax, cs:__security_cookie.text:000000018007F9F9                 xor     rax, rsp.text:000000018007F9FC                 mov     [rsp+1048h+var_28], rax.text:000000018007FA04                 mov     rax, [rcx+20h].text:000000018007FA08                 mov     rbx, rcx.text:000000018007FA0B                 xor     ebp, ebp.text:000000018007FA0D                 mov     ecx, [rax+2Ch]  ; [3] value at file offset +0x2C.text:000000018007FA10                 imul    ecx, [rbx+60h]  ; [4] Size which was set in sub_18007F7B0 e.g 0x200.text:000000018007FA14                 cmp     rcx, [rbx+18h]  ; [5] size of the file .text:000000018007FA18                 jbe     short loc_18007FA22.text:000000018007FA1A                 lea     eax, [rbp+6].text:000000018007FA1D                 jmp     loc_18007FB30.text:000000018007FA22 ; ---------------------------------------------------------------------------.text:000000018007FA22.text:000000018007FA22 loc_18007FA22:                          ; CODE XREF: PARSE__18007F9E0+38↑j.text:000000018007FA22                 call    [email protected][email protected] ; operator new(unsigned __int64)    ; [6].text:000000018007FA27                 mov     [rbx+40h], rax.text:000000018007FA2B                 test    rax, rax.text:000000018007FA2E                 jnz     short loc_18007FA38.text:000000018007FA30                 lea     ebp, [rax+3].text:000000018007FA33                 jmp     loc_18007FB2E

sub_18007F9E0检查值 [3] 乘以 [4] 是否小于文件 [5] 的大小。在这里，乘法结果被截断为 32 位值（存储到ECX），导致整数溢出。这个溢出的大小值小于实际需要的值，用于在 [6] 处分配堆内存。因此，在 [3] 处具有较大的值将导致整数溢出，并且文件大小的检查将通过。

然后它会从文件到分配的堆内存执行 0x200 字节的重复 memcpy（在崩溃测试用例的情况下），直到文件偏移+0x2C[8] 处的值指定的次数。由于分配的堆内存大小不足以存储0x200 * [file + 0x2C]字节，因此会发生堆溢出。

.text:000000018007FAD4                 imul    edi, esi.text:000000018007FAD7                 lea     rdx, [rsp+1048h+Src] ; Src.text:000000018007FADC                 mov     r8d, r14d       ; Size.text:000000018007FADF                 add     rdi, [rbx+40h].text:000000018007FAE3                 mov     rcx, rdi        ; void *.text:000000018007FAE6                 call    memcpy          ; [7] CRASH!!!!.text:000000018007FAEB                 test    rdi, rdi.text:000000018007FAEE                 jz      short loc_18007FB04.text:000000018007FAF0                 mov     rax, [rbx+20h].text:000000018007FAF4                 inc     esi.text:000000018007FAF6                 cmp     esi, [rax+2Ch]  ; [8]

0:000> k# Child-SP          RetAddr               Call Site00 000000a7`6c57e298 00007ffa`adc2faeb     VCRUNTIME140!memcpy+0x1e301 000000a7`6c57e2a0 00007ffa`adc3015e     coen!Coen_Clean+0x6bb5b02 000000a7`6c57f2f0 00007ffa`adc2f8d6     coen!Coen_Clean+0x6c1ce03 000000a7`6c57f320 00007ffa`adc257fa     coen!Coen_Clean+0x6b94604 000000a7`6c57f360 00007ffa`adbc91c2     coen!Coen_Clean+0x6186a05 000000a7`6c57f6a0 00007ffa`adbb5795     coen!Coen_Clean+0x5232 06 000000a7`6c57f820 00007ffa`adbc3974     coen+0x579507 000000a7`6c57f960 00007ff7`ecb8116b     coen!Coen_ScanPath+0xb4...