Menu
▾
▴
[fuse-emulator-cvs] SF.net SVN: fuse-emulator:[5115] trunk/libspectrum
|
From: <zu...@us...> - 2015-02-25 22:31:12
|
Revision: 5115
http://sourceforge.net/p/fuse-emulator/code/5115
Author: zubzero
Date: 2015-02-25 22:31:10 +0000 (Wed, 25 Feb 2015)
Log Message:
-----------
Avoid (undefined) reliance on pointer overflow in buffer length checks
Modified Paths:
--------------
trunk/libspectrum/hacking/ChangeLog
trunk/libspectrum/pzx_read.c
trunk/libspectrum/szx.c
trunk/libspectrum/tzx_read.c
trunk/libspectrum/warajevo_read.c
Modified: trunk/libspectrum/hacking/ChangeLog
===================================================================
--- trunk/libspectrum/hacking/ChangeLog 2015-02-20 23:17:44 UTC (rev 5114)
+++ trunk/libspectrum/hacking/ChangeLog 2015-02-25 22:31:10 UTC (rev 5115)
@@ -970,3 +970,5 @@
20150107 test/test.c: remove "Function call argument is an uninitialized value"
warning. There's no chance that it is, but clang doesn't realise that
(Sergio).
+20150225 pzx_read.c,szx.c,tzx_read.c,warajevo_read.c: avoid (undefined) reliance
+ on pointer overflow in buffer length checks (Stuart).
Modified: trunk/libspectrum/pzx_read.c
===================================================================
--- trunk/libspectrum/pzx_read.c 2015-02-20 23:17:44 UTC (rev 5114)
+++ trunk/libspectrum/pzx_read.c 2015-02-25 22:31:10 UTC (rev 5115)
@@ -548,7 +548,7 @@
error = read_block_header( id, &data_length, buffer, end );
if( error ) return error;
- if( *buffer + data_length > end || *buffer + data_length < *buffer ) {
+ if( end - *buffer < data_length ) {
libspectrum_print_error(
LIBSPECTRUM_ERROR_CORRUPT,
"read_block: block length goes beyond end of file"
Modified: trunk/libspectrum/szx.c
===================================================================
--- trunk/libspectrum/szx.c 2015-02-20 23:17:44 UTC (rev 5114)
+++ trunk/libspectrum/szx.c 2015-02-25 22:31:10 UTC (rev 5115)
@@ -2246,7 +2246,7 @@
error = read_chunk_header( id, &data_length, buffer, end );
if( error ) return error;
- if( *buffer + data_length > end || *buffer + data_length < *buffer ) {
+ if( end - *buffer < data_length ) {
libspectrum_print_error(
LIBSPECTRUM_ERROR_CORRUPT,
"szx_read_chunk: chunk length goes beyond end of file"
Modified: trunk/libspectrum/tzx_read.c
===================================================================
--- trunk/libspectrum/tzx_read.c 2015-02-20 23:17:44 UTC (rev 5114)
+++ trunk/libspectrum/tzx_read.c 2015-02-25 22:31:10 UTC (rev 5115)
@@ -604,7 +604,7 @@
data = libspectrum_malloc( data_size );
- if( *ptr + data_size > end || *ptr + data_size < *ptr ) {
+ if( end - (*ptr) < data_size ) {
libspectrum_free( data );
libspectrum_tape_block_free( block );
libspectrum_print_error( LIBSPECTRUM_ERROR_CORRUPT,
Modified: trunk/libspectrum/warajevo_read.c
===================================================================
--- trunk/libspectrum/warajevo_read.c 2015-02-20 23:17:44 UTC (rev 5114)
+++ trunk/libspectrum/warajevo_read.c 2015-02-25 22:31:10 UTC (rev 5115)
@@ -211,9 +211,8 @@
int error;
libspectrum_dword next_block;
- /* Check we have enough data, and check for pointer wrap */
- if( buffer + 8 + *offset > end || buffer + *offset < buffer ||
- buffer + 8 + *offset < buffer ) {
+ /* Check we have enough data */
+ if( end - buffer < *offset || end - buffer - *offset < 8 ) {
libspectrum_print_error(
LIBSPECTRUM_ERROR_CORRUPT,
"libspectrum_warajevo_read: not enough data in buffer"
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
