Attachment 3293 Details for Bug 2608 – proposed fix v2

[patch] proposed fix v2

fix-potential-signed-overflow-in-pointer-arithmatic.patch (text/plain), 3.13 KB, created by Hongxu Jia on 2019-06-17 15:58:00 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Hongxu Jia

Created: 2019-06-17 15:58:00 AEST

Size: 3.13 KB

patch

obsolete

>From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
>From: Yuanjie Huang <yuanjie.huang@windriver.com>
>Date: Wed, 24 Aug 2016 03:15:43 +0000
>Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
>
>Pointer arithmatic results in implementation defined signed integer
>type, so that 's - src' in strlcpy and others may trigger signed overflow.
>In case of compilation by gcc or clang with -ftrapv option, the overflow
>would lead to program abort.
>
>Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
>
>Complete the fix
>Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>---
> openbsd-compat/strlcat.c | 10 +++++++---
> openbsd-compat/strlcpy.c |  8 ++++++--
> openbsd-compat/strnlen.c |  8 ++++++--
> 3 files changed, 19 insertions(+), 7 deletions(-)
>
>diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
>index bcc1b61..124e1e3 100644
>--- a/openbsd-compat/strlcat.c
>+++ b/openbsd-compat/strlcat.c
>@@ -23,6 +23,7 @@
> 
> #include <sys/types.h>
> #include <string.h>
>+#include <stdint.h>
> 
> /*
>  * Appends src to string dst of size siz (unlike strncat, siz is the
>@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
> 	/* Find the end of dst and adjust bytes left but don't go past end */
> 	while (n-- != 0 && *d != '\0')
> 		d++;
>-	dlen = d - dst;
>+	dlen = (uintptr_t)d - (uintptr_t)dst;
> 	n = siz - dlen;
> 
> 	if (n == 0)
>@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
> 		s++;
> 	}
> 	*d = '\0';
>-
>-	return(dlen + (s - src));	/* count does not include NUL */
>+        /*
>+	 * Cast pointers to unsigned type before calculation, to avoid signed
>+	 * overflow when the string ends where the MSB has changed.
>+	 */
>+	return (dlen + ((uintptr_t)s - (uintptr_t)src));	/* count does not include NUL */
> }
> 
> #endif /* !HAVE_STRLCAT */
>diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
>index b4b1b60..b06f374 100644
>--- a/openbsd-compat/strlcpy.c
>+++ b/openbsd-compat/strlcpy.c
>@@ -23,6 +23,7 @@
> 
> #include <sys/types.h>
> #include <string.h>
>+#include <stdint.h>
> 
> /*
>  * Copy src to string dst of size siz.  At most siz-1 characters
>@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
> 		while (*s++)
> 			;
> 	}
>-
>-	return(s - src - 1);	/* count does not include NUL */
>+        /*
>+	 * Cast pointers to unsigned type before calculation, to avoid signed
>+	 * overflow when the string ends where the MSB has changed.
>+	 */
>+	return ((uintptr_t)s - (uintptr_t)src - 1);	/* count does not include NUL */
> }
> 
> #endif /* !HAVE_STRLCPY */
>diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
>index 7ad3573..7040f1f 100644
>--- a/openbsd-compat/strnlen.c
>+++ b/openbsd-compat/strnlen.c
>@@ -23,6 +23,7 @@
> #include <sys/types.h>
> 
> #include <string.h>
>+#include <stdint.h>
> 
> size_t
> strnlen(const char *str, size_t maxlen)
>@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
> 
> 	for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
> 		;
>-
>-	return (size_t)(cp - str);
>+        /*
>+	 * Cast pointers to unsigned type before calculation, to avoid signed
>+	 * overflow when the string ends where the MSB has changed.
>+	 */
>+	return (size_t)((uintptr_t)cp - (uintptr_t)str);
> }
> #endif
>-- 
>2.17.1
>

Actions: View | Diff

Attachments on bug 2608: 2866 | 2867 | 3293