diff options
| author | David Benjamin <davidben@davidben.net> | 2025-01-02 14:02:29 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-02 11:02:29 -0800 |
| commit | 578eeb702ec0fbb6b9780f3d4147b1076630d633 (patch) | |
| tree | 0d8e93c1c6ee643ab4f7f465eaf662efc9eb49dc | |
| parent | 23e35d792b9154f922b8b575b12596a4d8664c65 (diff) | |
| download | leveldb-578eeb702ec0fbb6b9780f3d4147b1076630d633.tar.gz leveldb-578eeb702ec0fbb6b9780f3d4147b1076630d633.zip | |
Fix invalid pointer arithmetic in Hash (#1222)
It is UB to exceed the bounds of the buffer when doing pointer
arithemetic. That means the following is not a valid bounds check:
if (start + 4 <= limit)
Because if we were at the end of the buffer, we wouldn't be
allowed to add 4 anyway. Instead, this must be written as:
if (limit - start >= 4)
Basic forms of this issue are flagged by UBSan. If building with
-fsanitize=undefined, the following test trips an error:
[ RUN ] HASH.SignedUnsignedIssue
.../leveldb/util/hash.cc:30:15: runtime error: applying non-zero offset 4 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/local/google/home/davidben/leveldb/util/hash.cc:30:15 in
[ OK ] HASH.SignedUnsignedIssue (1 ms)
| -rw-r--r-- | util/hash.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/util/hash.cc b/util/hash.cc index 8122fa8..fa252c7 100644 --- a/util/hash.cc +++ b/util/hash.cc @@ -27,7 +27,7 @@ uint32_t Hash(const char* data, size_t n, uint32_t seed) { uint32_t h = seed ^ (n * m); // Pick up four bytes at a time - while (data + 4 <= limit) { + while (limit - data >= 4) { uint32_t w = DecodeFixed32(data); data += 4; h += w; |