[cfe-commits] r84925 - /cfe/trunk/lib/Frontend/PCHReader.cpp
Douglas Gregor
dgregor at apple.com
Fri Oct 23 09:05:55 PDT 2009
On Oct 22, 2009, at 8:57 PM, Ted Kremenek wrote:
> Author: kremenek
> Date: Thu Oct 22 22:57:22 2009
> New Revision: 84925
>
> URL: http://llvm.org/viewvc/llvm-project?rev=84925&view=rev
> Log:
> Fix integer overflow in PCHReader when reading the length of an
> identifier. This caused a crash when reading PCH files that contained
> long identifier names.
>
> The issue is that 'StrLenPtr' was previously a 'const char *', meaning
> the byte loaded from it would be interpretted as a signed integer. If
> the topmost bit was set, conversion to 'unsigned' would extend that
> bit, causing an overflow.
>
> The solution is to make 'StrLenPtr' an 'unsigned char *', always
> treating the value as an unsigned integer.
>
> This fixes: <rdar://problem/7328900>
>
> Modified:
> cfe/trunk/lib/Frontend/PCHReader.cpp
>
> Modified: cfe/trunk/lib/Frontend/PCHReader.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Frontend/PCHReader.cpp?rev=84925&r1=84924&r2=84925&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Frontend/PCHReader.cpp (original)
> +++ cfe/trunk/lib/Frontend/PCHReader.cpp Thu Oct 22 22:57:22 2009
> @@ -2515,7 +2515,7 @@
> // All of the strings in the PCH file are preceded by a 16-bit
> // length. Extract that 16-bit length to avoid having to execute
> // strlen().
> - const char *StrLenPtr = Str - 2;
> + const unsigned char *StrLenPtr = (const unsigned char*) Str - 2;
> unsigned StrLen = (((unsigned) StrLenPtr[0])
> | (((unsigned) StrLenPtr[1]) << 8)) - 1;
> IdentifiersLoaded[ID - 1]
That is really embarrassing. Thanks for tracking down and fixing my
heinous bug :(
- Doug
More information about the cfe-commits
mailing list