1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

g13: Fix pointer wrap check.

* g13/utils.c (find_tuple, next_tuple): Cast pointer to size_t before
doing an overflow check.
--

Detected by Stack 0.3:

    bug: anti-simplify
  model: |
    %cmp4 = icmp ult i8* %add.ptr3, %s.0, !dbg !568
    -->  false
  stack:
    - /home/wk/s/gnupg/g13/utils.c:127:0
  ncore: 1
  core:
    - /home/wk/s/gnupg/g13/utils.c:127:0
      - pointer overflow
This commit is contained in:
Werner Koch 2015-03-15 13:33:26 +01:00
parent 3a35c9740a
commit 4bc3a2e954
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -124,14 +124,16 @@ find_tuple (tupledesc_t tupledesc, unsigned int tag, size_t *r_length)
s_end = s + tupledesc->datalen; s_end = s + tupledesc->datalen;
while (s < s_end) while (s < s_end)
{ {
if (s+3 >= s_end || s + 3 < s) /* We use addresses for the overflow check to avoid undefined
behaviour. size_t should work with all flat memory models. */
if ((size_t)s+3 >= (size_t)s_end || (size_t)s + 3 < (size_t)s)
break; break;
t = s[0] << 8; t = s[0] << 8;
t |= s[1]; t |= s[1];
n = s[2] << 8; n = s[2] << 8;
n |= s[3]; n |= s[3];
s += 4; s += 4;
if (s + n > s_end || s + n < s) if ((size_t)s + n > (size_t)s_end || (size_t)s + n < (size_t)s)
break; break;
if (t == tag) if (t == tag)
{ {
@ -159,14 +161,14 @@ next_tuple (tupledesc_t tupledesc, unsigned int *r_tag, size_t *r_length)
s_end = s + tupledesc->datalen; s_end = s + tupledesc->datalen;
s += tupledesc->pos; s += tupledesc->pos;
if (s < s_end if (s < s_end
&& !(s+3 >= s_end || s + 3 < s)) && !((size_t)s + 3 >= (size_t)s_end || (size_t)s + 3 < (size_t)s))
{ {
t = s[0] << 8; t = s[0] << 8;
t |= s[1]; t |= s[1];
n = s[2] << 8; n = s[2] << 8;
n |= s[3]; n |= s[3];
s += 4; s += 4;
if (!(s + n > s_end || s + n < s)) if (!((size_t)s + n > (size_t)s_end || (size_t)s + n < (size_t)s))
{ {
tupledesc->pos = (s + n) - tupledesc->data; tupledesc->pos = (s + n) - tupledesc->data;
*r_tag = t; *r_tag = t;