[cfe-dev] Detecting undefined pointer arithmetic
Demi M. Obenour via cfe-dev
cfe-dev at lists.llvm.org
Thu Jan 14 17:52:38 PST 2021
On 1/14/21 7:52 PM, Johannes Doerfert via cfe-dev wrote:
> We would/should not exploit UB in such a case, at least not in the shown
> example. The pointer computation might yield `poison` but that is it.
> If you'd use the pointer afterwards, the situation is different though.
>
> ~ Johannes
The code pattern I see in practice is essentially:
char *p = malloc(some_bytes);
if (!p)
goto fail;
initialize(p, some_bytes);
char *end = p + some_bytes;
int offset = untrusted_user_input();
if (offset < 0 || offset > (1 << 28))
goto fail;
if (p + offset > end)
goto fail;
/* assume that offset is in bounds from here on */
RPM uses this quite a bit.
Sincerely,
Demi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210114/194c2f45/attachment.sig>
More information about the cfe-dev
mailing list