Closed sjxer723 closed 1 year ago
Hi @sjxer723!
Thank you for your pull request and welcome to our community.
In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.
In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.
Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed
. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.
If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!
Hi, this pr contains some improvements and fixes to buffer overrun analysis. The two fixes were originally inspired due to the two false positives/negatives we found.
There will be a buffer overrun issue within the condition judgment of the
for
statement sincei
will finally be equal to 1 and the statement will check whethera[1]
is nonzero.Before executing the fourth
if
statement, BO will regard the value ofseedlen
as max{16, entropy_len}. However, when executing the fourthif
statement, by adding the two variablesseedlen
andnonce_len
, BO makes a rough estimation as above description, and will regard the upper bound ofseedlen
as 16 + nonce_len. Hence, it will cause a false positive when executing the call to thememcpy
function.For the two issues above, I have made the following improvements.
L3
-level error when the upper bound of index is +oo and the upper bound of the array size is limited.