[Speex-dev] [PATCH]Add address overflow check

Jean-Marc Valin jmvalin at jmvalin.ca
Tue Mar 20 20:18:04 UTC 2018

On 02/12/2018 05:28 AM, Nicholas Wilson wrote:
> The "bad" way of doing a length check is
> char* buf_start, buf_end;
> unsigned len_to_check;
> if (buf_start + len_to_check > buf_end)
>     fail()
> Because the length is to-be-checked, it could have an unsafe large value, causing an (unsigned) overflow. For example, with buf_start = 0xffff_ff00 and buf_end = 0xffff_ff10, the maximum allowed length is 0x10, but a length of 0x100 will cause an overflow and bypass the check.

Right. And in fact the C standard says that merely computing the
expression ptr+large_value is undefined (when the result points beyond
the buffer) even if you don't even use the pointer.

> The safe way of doing a length check is
> if (buf_end - buf_start < len_to_check)
>     fail()
> The buffer bounds are known safe, so the arithmetic is OK to do that way round.

Yes, I agree. That would be the right way to make the check.



More information about the Speex-dev mailing list