store: don't underflow pointer #226
Conversation
N-R-K
force-pushed
the
endptr-ub
branch
2 times, most recently
from
539547e to
f3efac0
Compare
Huh? |
|
I quoted the wrong part earlier (pointer-pointer subtraction instead of pointer-integer addition). Here is the correct section and the relavant part (emphasis added):
The Also relavant from annex j (it's talking about dereferencing, but the "out of range" part is relavant for pointer arithmetic also):
Doing the arithmetic on indices avoids all these issues. |
|
Oh, I see. What do you think about just adjusting the original code with this in the *snip is NULL case: if (start == end) {
return false;
}or if (guard->cs->header->nr_snips == 0) {
return false;
}That seems to produce more easy to understand code flow to me. |
That's what I originally had but that only fixes the Pushed a new patch with a different approach. This one returns early on the This seems easier to understand than the index approach, let me know what you think. EDIT: also renamed |
when iterating backwards or when nr_snips is 0, the pointer will be decremented outside of the `cs_snip` array object and into the header, which is technically UB [0]. avoid it by returning early on nr_snips == 0 case and by checking against the "stop" pointer before doing the decrement. 0: https://port70.net/~nsz/c/c11/n1570.html#6.5.6p8
|
Thanks! |
when number of snips is 0,
end - 1will go one below the buffer. computing out of bound pointer (with the exception of one past the end) is technically UB [0] so avoid it by doing the computation on index instead of pointers.0: https://port70.net/~nsz/c/c11/n1570.html#6.5.6p9
EDIT: the patch is incomplete, breaks reverse iteration.
EDIT2: turned out a bit more hairy than I had imagined, but the patch should be functional now. Just doing the same computation, but on index instead of pointer steers clear of any UB.