[Rpm-maint] [rpm-software-management/rpm] Avoid out-of-bounds pointer arithmetic in dataLength() (#1626)
Daniel Mach
notifications at github.com
Mon Apr 12 06:28:33 UTC 2021
@dmach commented on this pull request.
> @@ -474,8 +474,8 @@ static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,
default:
if (typeSizes[type] == -1)
return -1;
- length = typeSizes[(type & 0xf)] * count;
- if (length < 0 || (se && (s + length) > se))
+ length = typeSizes[type] * count;
The `& 0xf` was probably there to guarantee that we're accessing typeSizes within valid range.
Shouldn't we rather check the `type` range with the following? `if (type > RPM_MAX_TYPE) return -1;`
> @@ -474,8 +474,8 @@ static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,
default:
if (typeSizes[type] == -1)
return -1;
- length = typeSizes[(type & 0xf)] * count;
- if (length < 0 || (se && (s + length) > se))
+ length = typeSizes[type] * count;
+ if (length < 0 || (se && length > se - s))
Pointer arithmetic is sometimes tricky. If it's not a performance problem, I'd explicitly check that `se >= s`.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1626#pullrequestreview-633173137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210411/68ccfe44/attachment.html>
More information about the Rpm-maint
mailing list