Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

binpac: Fix integer overflow in binpac generated code.

Browse source 
The issue is that t_begin_of_data + %s can sometimes overflow.

Bug reported and patch proposed by
Philippe Antoine <p.antoine@catenacyber.fr> from Catena cyber.
This commit is contained in:
Johanna Amann 2018-02-13 09:27:42 -08:00 committed by Tim Wojtulewicz
parent e4c168836e
commit 827d1ff11e
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tools/binpac/src/pac_array.cc
View file

@ -280,8 +280,8 @@ void ArrayType::GenArrayLength(Output *out_cc, Env *env, const DataPtr& data)
// Check for overlong array length. We cap it at the // Check for overlong array length. We cap it at the
// maximum data size as we won't store more elements. // maximum data size as we won't store more elements.
out_cc->println("if ( t_begin_of_data + %s > t_end_of_data + 1 )", out_cc->println("if ( t_begin_of_data + %s > t_end_of_data + 1 || t_begin_of_data + %s < t_begin_of_data )",
env->LValue(arraylength_var())); env->LValue(arraylength_var()), env->LValue(arraylength_var()));
out_cc->inc_indent(); out_cc->inc_indent();
out_cc->println("{"); out_cc->println("{");
out_cc->println("%s = t_end_of_data - t_begin_of_data + 1;", out_cc->println("%s = t_end_of_data - t_begin_of_data + 1;",