From 4bc3a2e954afc2ba7dbe79ba5f740184b7d4cd73 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sun, 15 Mar 2015 13:33:26 +0100 Subject: g13: Fix pointer wrap check. * g13/utils.c (find_tuple, next_tuple): Cast pointer to size_t before doing an overflow check. -- Detected by Stack 0.3: bug: anti-simplify model: | %cmp4 = icmp ult i8* %add.ptr3, %s.0, !dbg !568 --> false stack: - /home/wk/s/gnupg/g13/utils.c:127:0 ncore: 1 core: - /home/wk/s/gnupg/g13/utils.c:127:0 - pointer overflow --- g13/utils.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/g13/utils.c b/g13/utils.c index 6fe3e5ac1..4ab4799cd 100644 --- a/g13/utils.c +++ b/g13/utils.c @@ -124,14 +124,16 @@ find_tuple (tupledesc_t tupledesc, unsigned int tag, size_t *r_length) s_end = s + tupledesc->datalen; while (s < s_end) { - if (s+3 >= s_end || s + 3 < s) + /* We use addresses for the overflow check to avoid undefined + behaviour. size_t should work with all flat memory models. */ + if ((size_t)s+3 >= (size_t)s_end || (size_t)s + 3 < (size_t)s) break; t = s[0] << 8; t |= s[1]; n = s[2] << 8; n |= s[3]; s += 4; - if (s + n > s_end || s + n < s) + if ((size_t)s + n > (size_t)s_end || (size_t)s + n < (size_t)s) break; if (t == tag) { @@ -159,14 +161,14 @@ next_tuple (tupledesc_t tupledesc, unsigned int *r_tag, size_t *r_length) s_end = s + tupledesc->datalen; s += tupledesc->pos; if (s < s_end - && !(s+3 >= s_end || s + 3 < s)) + && !((size_t)s + 3 >= (size_t)s_end || (size_t)s + 3 < (size_t)s)) { t = s[0] << 8; t |= s[1]; n = s[2] << 8; n |= s[3]; s += 4; - if (!(s + n > s_end || s + n < s)) + if (!((size_t)s + n > (size_t)s_end || (size_t)s + n < (size_t)s)) { tupledesc->pos = (s + n) - tupledesc->data; *r_tag = t; -- cgit v1.2.3