Re: [LinuxBIOS] [PATCH] romstream off-by-1 - coreboot

3 Feb 2007

+	if ((rom + bytes - 1) > rom_end) {
Would be good.
YH
Index: src/stream/rom_stream.c
===================================================================

--- src/stream/rom_stream.c	(revision 2542)
+++ src/stream/rom_stream.c	(working copy)
@@ -116,7 +116,7 @@ byte_offset_t stream_skip(byte_offset_t 
 {
    byte_offset_t bytes;
    bytes = count;
-	if ((rom + bytes) > rom_end) {
+	if (rom+bytes-1 > rom_end) {
    	printk_warning("%6d:%s() - overflowed source buffer\n",
    		__LINE__, __FUNCTION__);
    	bytes = 0;
-----Original Message-----
From: linuxbios-bounces@linuxbios.org
[mailto:linuxbios-bounces@linuxbios.org] On Behalf Of Roman Kononov
Sent: Friday, February 02, 2007 1:23 PM
To: LinuxBIOS
Subject: Re: [LinuxBIOS] [PATCH] romstream off-by-1
On 02/02/2007 10:57 AM, Stefan Reinauer wrote:
...
I suggest comparing (rom + bytes - 1) > rom_end, because rom_end seems
to be the logical border we're checking for.
(rom + bytes - 1 > rom_end) equals to (rom + bytes > rom_end + 1)
provided that
[rom,rom_end+1) does not cross 0x7fffffff+1 and ptrdiff_t is signed,
or
[rom,rom_end+1) does not corss 0xffffffff+1 and ptrdiff_t is unsigned.
In linuxbios, [rom,rom_end+1) crosses neither boundary.
Strictly speaking, an exception for the first statement is when
    ptrdiff_t is signed (which is our case);
    rom+bytes-1 does not overflow and is 0x7fffffff;
    rom+bytes does overflow and is 0x80000000;
    rom_end is, for example, 0xffff0000.
Then,
   (rom + bytes - 1 > rom_end) is true
   (rom + bytes > rom_end + 1) is false
For this to happen rom must be within
[0x00000000-0x7fffffff], which is impossible.
Any way, you flavor is attached.
Regards,
Signed-off-by: Roman Kononov kononov195-lbl@yahoo.com

    