[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201101241519.07547.lasse.collin@tukaani.org>
Date: Mon, 24 Jan 2011 15:19:07 +0200
From: Lasse Collin <lasse.collin@...aani.org>
To: Andreas Schwab <schwab@...ux-m68k.org>,
Jesper Juhl <jj@...osbits.net>
Cc: linux-kernel@...r.kernel.org
Subject: Re: Possible array overrun in lzma_reset()
On 2011-01-23 Andreas Schwab wrote:
> Jesper Juhl <jj@...osbits.net> writes:
>
> > 787 probs = s->lzma.is_match[0];
> > At conditional (1): "i < 14134UL" taking true path
> > At conditional (2): "i < 14134UL" taking true path
> > At conditional (3): "i < 14134UL" taking true path
> > 788 for (i = 0; i < PROBS_TOTAL; ++i)
> > Event overrun-local: Overrunning static array of size 32 bytes at byte position 28266 by indexing pointer "probs" with index variable "i".
> > Event overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun.
> > 789 probs[i] = RC_BIT_MODEL_TOTAL / 2;
> > ...
> >
> > I looked into the report and found that 's->lzma.is_match' is
> > uint16_t is_match[STATES][POS_STATES_MAX]
> > where 'STATES' is '#define STATES 12' and 'POS_STATES_MAX' is '#define POS_STATES_MAX (1 << 4)'.
> >
> > So I think the checker has a point.
>
> The loop treats the part of the structure from is_match to the end as
> a single array of PROBS_TOTAL uint16_t (which it is, in effect).
Correct. The comment in the code tries to say it too:
* All probabilities are initialized to the same value. This hack
* makes the code smaller by avoiding a separate loop for each
* probability array.
So there is no bug.
--
Lasse Collin | IRC: Larhzu @ IRCnet & Freenode
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists