View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009279 | GNUnet | util library | public | 2024-10-18 15:02 | 2024-10-23 21:34 |
| Reporter | fefe | Assigned To | schanzen | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | assigned | Resolution | open | ||
| Product Version | Git master | ||||
| Target Version | 0.22.2 | ||||
| Summary | 0009279: GNUNET_buffer_write_data_encoded: integer overflow | ||||
| Description | In buffer.c: 264 void 265 GNUNET_buffer_write_data_encoded (struct GNUNET_Buffer *buf, 266 const void *data, 267 size_t data_len) 268 { 269 size_t outlen = data_len * 8; This can overflow. 271 if (outlen % 5 > 0) 272 outlen += 5 - outlen % 5; 273 outlen /= 5; Line 272 can overflow. It's probably better to write this as: int roundup = (outlen % 5 > 0); outlen = (outlen / 5) + roundup; | ||||
| Tags | No tags attached. | ||||
|
|
actually since *8 means we can always add 0..7 without overflow checking, you could write it as outlen = (outlen + 4) / 5; |
|
|
I don't understand the comment: We can assert that (data_len <= SIZE_MAX / 8) such that line 269 does not overflow. But if data_len == SIZE_MAX / 8 then the above will overflow surely? |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-10-18 15:02 | fefe | New Issue | |
| 2024-10-18 15:18 | fefe | Note Added: 0023545 | |
| 2024-10-23 13:20 | schanzen | Target Version | => 0.22.2 |
| 2024-10-23 21:34 | schanzen | Note Added: 0023579 | |
| 2024-10-23 21:34 | schanzen | Assigned To | => schanzen |
| 2024-10-23 21:34 | schanzen | Status | new => assigned |
