Displaying 3 results from an estimated 3 matches for "len_to_check".
2018 Feb 12
2
[PATCH]Add address overflow check
...ointer could have a "large" value like 0xffff_ff00 means that they can wrap if you do length checks the wrong way. The behaviour is completely defined - it just causes the code not to work as intended.
The "bad" way of doing a length check is
char* buf_start, buf_end;
unsigned len_to_check;
if (buf_start + len_to_check > buf_end)
fail()
Because the length is to-be-checked, it could have an unsafe large value, causing an (unsigned) overflow. For example, with buf_start = 0xffff_ff00 and buf_end = 0xffff_ff10, the maximum allowed length is 0x10, but a length of 0x100 will cause...
2018 Feb 12
0
[PATCH]Add address overflow check
Yes, I agree that buf_end - buf_start < len_to_check is better. It's the
0xFFFFFFFF overflow that's a cause of concern, not the 0x80000000. That
being said, I believe that the length argument in this case can be
trusted since it comes from the application and not from the user.
Cheers,
Jean-Marc
On 02/12/2018 05:28 AM, Nicholas Wilson wro...
2018 Feb 09
3
[PATCH]Add address overflow check
Hi,
I came into a crash when using 32-bit `speexdec` and found that there's an
address overflow in function `print_comments()`:
static void print_comments(char *comments, int length)
{
char *c=comments;
int len, i, nb_fields;
char *end;
if (length<8)
{
fprintf (stderr, "Invalid/corrupted comments\n");
return;
}
end = c+length;