search for: ruikai

...ar *comments, int length) } len=readint(c, 0); c+=4; - if (len < 0 || c+len>end) + if (len < 0 || c+len>end || c+len<c) { fprintf (stderr, "Invalid/corrupted comments\n"); return; Thanks! -- Best regards, Ruikai Liu -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/speex-dev/attachments/20180209/9db2091b/attachment.html>

Pointers are unsigned so this shouldn't be an issue. I suspect you're being hit by something else. That or your compiler is really broken. Cheers, Jean-Marc On 02/09/2018 04:42 AM, Ruikai Liu wrote: > Hi, > > I came into a crash when using 32-bit `speexdec` and found that there's > an address overflow in function `print_comments()`: > > staticvoidprint_comments(char*comments, intlength) > > { > >    char*c=comments; > >    intlen, i, nb_f...

On 09 February 2018 15:56 Jean-Marc Valin wrote: > Pointers are unsigned so this shouldn't be an issue. I suspect you're > being hit by something else. That or your compiler is really broken. I don't know how important it is in this case (probably pretty minor) but in general Ruikai's right. It doesn't matter that pointers are unsigned; that fact that a pointer could have a "large" value like 0xffff_ff00 means that they can wrap if you do length checks the wrong way. The behaviour is completely defined - it just causes the code not to work as intended. The...

...2018 15:56 Jean-Marc Valin wrote: >> Pointers are unsigned so this shouldn't be an issue. I suspect you're >> being hit by something else. That or your compiler is really broken. > > I don't know how important it is in this case (probably pretty minor) but in general Ruikai's right. > > It doesn't matter that pointers are unsigned; that fact that a pointer could have a "large" value like 0xffff_ff00 means that they can wrap if you do length checks the wrong way. The behaviour is completely defined - it just causes the code not to work as inten...