[Rpm-maint] [rpm-software-management/rpm] Avoid out-of-bounds pointer arithmetic in dataLength() (#1626)
Demi Marie Obenour
notifications at github.com
Mon Apr 12 12:14:44 UTC 2021
@DemiMarie commented on this pull request.
> @@ -474,8 +474,8 @@ static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,
default:
if (typeSizes[type] == -1)
return -1;
- length = typeSizes[(type & 0xf)] * count;
- if (length < 0 || (se && (s + length) > se))
+ length = typeSizes[type] * count;
Good idea.
> @@ -474,8 +474,8 @@ static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,
default:
if (typeSizes[type] == -1)
return -1;
- length = typeSizes[(type & 0xf)] * count;
- if (length < 0 || (se && (s + length) > se))
+ length = typeSizes[type] * count;
+ if (length < 0 || (se && length > se - s))
Will do at the top of the function. Since this is always a programming error (unless `se` is `NULL`), is it okay if I just call `abort()`? Also, I would prefer to cast to `uintptr_t` first, so compilers don’t do anything sneaky.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1626#discussion_r611563223
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210412/b14c7b74/attachment.html>
More information about the Rpm-maint
mailing list