diff options
author | Mike Frysinger <vapier@gentoo.org> | 2015-11-26 03:41:47 -0500 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2015-11-26 03:41:47 -0500 |
commit | 335e3c30ebd98959a53c22b12b17f907d7def48c (patch) | |
tree | 45abaff97416280ba95a9fed86ca30ecfedc42eb | |
parent | security: whitelist the getcwd syscall (diff) | |
download | pax-utils-335e3c30ebd98959a53c22b12b17f907d7def48c.tar.gz pax-utils-335e3c30ebd98959a53c22b12b17f907d7def48c.tar.bz2 pax-utils-335e3c30ebd98959a53c22b12b17f907d7def48c.zip |
xarray: move ele update to after bounds check
Even though we don't use the loaded ele value until after we check
the bounds of the counter, it makes ASAN unhappy, and might cause
a load of invalid memory.
URL: https://bugs.gentoo.org/553368
Reported-by: Hanno Boeck <hanno@gentoo.org>
-rw-r--r-- | xfuncs.h | 8 |
1 files changed, 6 insertions, 2 deletions
@@ -27,10 +27,14 @@ void xarraypush(array_t *array, const void *ele, size_t ele_len); #define xarraypush_str(arr, ele) xarraypush(arr, ele, strlen(ele) + 1 /*NUL*/) void xarrayfree(array_t *array); #define xrealloc_array(ptr, size, ele_size) xrealloc(ptr, (size) * (ele_size)) +/* The assignment after the check is unfortunate as we do a non-NULL check (we + * already do not permit pushing of NULL pointers), but we can't put it in the + * increment phase as that will cause a load beyond the bounds of valid memory. + */ #define array_for_each(arr, n, ele) \ for (n = 0, ele = array_cnt(arr) ? arr->eles[n] : NULL; \ - n < array_cnt(arr); \ - ele = arr->eles[++n]) + n < array_cnt(arr) && (ele = arr->eles[n]); \ + ++n) #define array_init_decl { .eles = NULL, .num = 0, } #define array_cnt(arr) (arr)->num char *array_flatten_str(array_t *array); |