[LinuxBIOS] [PATCH] romstream off-by-1

Lu, Yinghai yinghai.lu at amd.com
Sat Feb 3 01:02:17 CET 2007


+	if ((rom + bytes - 1) > rom_end) {

Would be good.

YH


Index: src/stream/rom_stream.c
===================================================================
--- src/stream/rom_stream.c	(revision 2542)
+++ src/stream/rom_stream.c	(working copy)
@@ -116,7 +116,7 @@ byte_offset_t stream_skip(byte_offset_t 
 {
 	byte_offset_t bytes;
 	bytes = count;
-	if ((rom + bytes) > rom_end) {
+	if (rom+bytes-1 > rom_end) {
 		printk_warning("%6d:%s() - overflowed source buffer\n",
 			__LINE__, __FUNCTION__);
 		bytes = 0;



-----Original Message-----
From: linuxbios-bounces at linuxbios.org
[mailto:linuxbios-bounces at linuxbios.org] On Behalf Of Roman Kononov
Sent: Friday, February 02, 2007 1:23 PM
To: LinuxBIOS
Subject: Re: [LinuxBIOS] [PATCH] romstream off-by-1

On 02/02/2007 10:57 AM, Stefan Reinauer wrote:
> I suggest comparing (rom + bytes - 1) > rom_end, because rom_end seems
> to be the logical border we're checking for.

(rom + bytes - 1 > rom_end) equals to (rom + bytes > rom_end + 1)
provided that
[rom,rom_end+1) does not cross 0x7fffffff+1 and ptrdiff_t is signed,
or
[rom,rom_end+1) does not corss 0xffffffff+1 and ptrdiff_t is unsigned.
In linuxbios, [rom,rom_end+1) crosses neither boundary.

Strictly speaking, an exception for the first statement is when
    ptrdiff_t is signed (which is our case);
    rom+bytes-1 does not overflow and is 0x7fffffff;
    rom+bytes does overflow and is 0x80000000;
    rom_end is, for example, 0xffff0000.
Then,
   (rom + bytes - 1 > rom_end) is true
   (rom + bytes > rom_end + 1) is false
For this to happen rom must be within
[0x00000000-0x7fffffff], which is impossible.

Any way, you flavor is attached.

Regards,

Signed-off-by: Roman Kononov <kononov195-lbl at yahoo.com>







More information about the coreboot mailing list