search for: 0xffff_ff10

...; way of doing a length check is char* buf_start, buf_end; unsigned len_to_check; if (buf_start + len_to_check > buf_end) fail() Because the length is to-be-checked, it could have an unsafe large value, causing an (unsigned) overflow. For example, with buf_start = 0xffff_ff00 and buf_end = 0xffff_ff10, the maximum allowed length is 0x10, but a length of 0x100 will cause an overflow and bypass the check. The safe way of doing a length check is if (buf_end - buf_start < len_to_check) fail() The buffer bounds are known safe, so the arithmetic is OK to do that way round. Nick

...t; > char* buf_start, buf_end; > unsigned len_to_check; > if (buf_start + len_to_check > buf_end) > fail() > > Because the length is to-be-checked, it could have an unsafe large value, causing an (unsigned) overflow. For example, with buf_start = 0xffff_ff00 and buf_end = 0xffff_ff10, the maximum allowed length is 0x10, but a length of 0x100 will cause an overflow and bypass the check. > > The safe way of doing a length check is > > if (buf_end - buf_start < len_to_check) > fail() > > The buffer bounds are known safe, so the arithmetic is OK to do...

Hi, I came into a crash when using 32-bit `speexdec` and found that there's an address overflow in function `print_comments()`: static void print_comments(char *comments, int length) { char *c=comments; int len, i, nb_fields; char *end; if (length<8) { fprintf (stderr, "Invalid/corrupted comments\n"); return; } end = c+length;