Closed Geneo-5 closed 2 years ago
mikkelfj
commented
2 years ago I'm not sure that end - base is always greater than zero, but it should always be greater than zero in order to handle zero termination. Can you explain? I think your fix is correct though.
Geneo-5
commented
2 years ago The offset is type unsigned int 32. Let n = 0xFFFFFFFF For all end and base in [0, 0xFFFFFFFF], end - base >= n + 1 because n + 1 = 0 The last test check if the end of string is set to 0x00 but with this n, the test is outside the buffer memory (buffer + base + 0xFFFFFFFF)
mikkelfj
commented
2 years ago I understand. But I do not understand your initial comment "end - base (unsigned value) is always greater then 0." Do you mean that it cannot be be zero, or that it must not be zero? Because I think it can be zero even if the buffer is not valid then.
If n = 0xFFFFFFFF then n + 1 = 0. end - base (unsigned value) is always greater then 0. Finally the function test then value (buf + base)[0xFFFFFFFF] whish crash.