search for: buf_end

...that fact that a pointer could have a "large" value like 0xffff_ff00 means that they can wrap if you do length checks the wrong way. The behaviour is completely defined - it just causes the code not to work as intended. The "bad" way of doing a length check is char* buf_start, buf_end; unsigned len_to_check; if (buf_start + len_to_check > buf_end) fail() Because the length is to-be-checked, it could have an unsafe large value, causing an (unsigned) overflow. For example, with buf_start = 0xffff_ff00 and buf_end = 0xffff_ff10, the maximum allowed length is 0x10, but a len...

Yes, I agree that buf_end - buf_start < len_to_check is better. It's the 0xFFFFFFFF overflow that's a cause of concern, not the 0x80000000. That being said, I believe that the length argument in this case can be trusted since it comes from the application and not from the user. Cheers, Jean-Marc On 02/12/2018...

.../ao_alsa.c,v retrieving revision 1.1 diff -u -r1.1 ao_alsa.c --- vorbis-tools/libao/ao_alsa.c 2000/07/22 01:57:05 1.1 +++ vorbis-tools/libao/ao_alsa.c 2000/08/13 00:30:01 @@ -38,7 +38,7 @@ typedef struct ao_alsa_internal_s { snd_pcm_t *pcm_handle; - void *buf; + char *buf; int buf_size; int buf_end; int card; @@ -191,9 +191,9 @@ ao_alsa_play (ao_internal_t *state, void* output_samples, uint_32 num_bytes) { ao_alsa_internal_t *s = (ao_alsa_internal_t *) state; - snd_pcm_t *pcm_handle = s->pcm_handle; int packed = 0; int copy_len; + char *samples = (char *) output_samples; whil...

Hi, I came into a crash when using 32-bit `speexdec` and found that there's an address overflow in function `print_comments()`: static void print_comments(char *comments, int length) { char *c=comments; int len, i, nb_fields; char *end; if (length<8) { fprintf (stderr, "Invalid/corrupted comments\n"); return; } end = c+length;

...gpu/drm/via/via_verifier.c index fb2609434df7..400fe11b128d 100644 --- a/drivers/gpu/drm/via/via_verifier.c +++ b/drivers/gpu/drm/via/via_verifier.c @@ -238 +238 @@ static hazard_t table3[256]; -static __inline__ int +static inline int @@ -253 +253 @@ eat_words(const uint32_t **buf, const uint32_t *buf_end, unsigned num_words) -static __inline__ drm_local_map_t *via_drm_lookup_agp_map(drm_via_state_t *seq, +static inline drm_local_map_t *via_drm_lookup_agp_map(drm_via_state_t *seq, @@ -290 +290 @@ static __inline__ drm_local_map_t *via_drm_lookup_agp_map(drm_via_state_t *seq, -static __inline__ int f...