LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* Possible array overrun in lzma_reset()
@ 2011-01-22 20:41 Jesper Juhl
  2011-01-22 22:22 ` Andreas Schwab
  0 siblings, 1 reply; 3+ messages in thread
From: Jesper Juhl @ 2011-01-22 20:41 UTC (permalink / raw)
  To: Lasse Collin; +Cc: linux-kernel

Hi,

The Covery prevent checker noticed that there's a buffer overrun in 
lib/xz/xz_dec_lzma2.c::lzma_reset() :

...
778  		/*
779  		 * All probabilities are initialized to the same value. This hack
780  		 * makes the code smaller by avoiding a separate loop for each
781  		 * probability array.
782  		 *
783  		 * This could be optimized so that only that part of literal
784  		 * probabilities that are actually required. In the common case
785  		 * we would write 12 KiB less.
786  		 */
Event ptr_assign: Pointer "probs" is assigned the address of a static array pointer "&s->lzma.is_match[0]" of size 32 bytes.
787  		probs = s->lzma.is_match[0];
At conditional (1): "i < 14134UL" taking true path
At conditional (2): "i < 14134UL" taking true path
At conditional (3): "i < 14134UL" taking true path
788  		for (i = 0; i < PROBS_TOTAL; ++i)
Event overrun-local: Overrunning static array of size 32 bytes at byte position 28266 by indexing pointer "probs" with index variable "i".
Event overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun.
789  			probs[i] = RC_BIT_MODEL_TOTAL / 2;
...

I looked into the report and found that 's->lzma.is_match' is
	uint16_t is_match[STATES][POS_STATES_MAX]
where 'STATES' is '#define STATES 12' and 'POS_STATES_MAX' is '#define POS_STATES_MAX (1 << 4)'.

So I think the checker has a point. However, I'm not familiar enough with 
this code to know what the proper fix is, so I just thought I'd report it 
to the proper people.

Happy bug fixing :-)


-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Possible array overrun in lzma_reset()
  2011-01-22 20:41 Possible array overrun in lzma_reset() Jesper Juhl
@ 2011-01-22 22:22 ` Andreas Schwab
  2011-01-24 13:19   ` Lasse Collin
  0 siblings, 1 reply; 3+ messages in thread
From: Andreas Schwab @ 2011-01-22 22:22 UTC (permalink / raw)
  To: Jesper Juhl; +Cc: Lasse Collin, linux-kernel

Jesper Juhl <jj@chaosbits.net> writes:

> 787  		probs = s->lzma.is_match[0];
> At conditional (1): "i < 14134UL" taking true path
> At conditional (2): "i < 14134UL" taking true path
> At conditional (3): "i < 14134UL" taking true path
> 788  		for (i = 0; i < PROBS_TOTAL; ++i)
> Event overrun-local: Overrunning static array of size 32 bytes at byte position 28266 by indexing pointer "probs" with index variable "i".
> Event overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun.
> 789  			probs[i] = RC_BIT_MODEL_TOTAL / 2;
> ...
>
> I looked into the report and found that 's->lzma.is_match' is
> 	uint16_t is_match[STATES][POS_STATES_MAX]
> where 'STATES' is '#define STATES 12' and 'POS_STATES_MAX' is '#define POS_STATES_MAX (1 << 4)'.
>
> So I think the checker has a point.

The loop treats the part of the structure from is_match to the end as a
single array of PROBS_TOTAL uint16_t (which it is, in effect).

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Possible array overrun in lzma_reset()
  2011-01-22 22:22 ` Andreas Schwab
@ 2011-01-24 13:19   ` Lasse Collin
  0 siblings, 0 replies; 3+ messages in thread
From: Lasse Collin @ 2011-01-24 13:19 UTC (permalink / raw)
  To: Andreas Schwab, Jesper Juhl; +Cc: linux-kernel

On 2011-01-23 Andreas Schwab wrote:
> Jesper Juhl <jj@chaosbits.net> writes:
>
> > 787           probs = s->lzma.is_match[0];
> > At conditional (1): "i < 14134UL" taking true path
> > At conditional (2): "i < 14134UL" taking true path
> > At conditional (3): "i < 14134UL" taking true path
> > 788           for (i = 0; i < PROBS_TOTAL; ++i)
> > Event overrun-local: Overrunning static array of size 32 bytes at byte position 28266 by indexing pointer "probs" with index variable "i".
> > Event overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun.
> > 789                   probs[i] = RC_BIT_MODEL_TOTAL / 2;
> > ...
> >
> > I looked into the report and found that 's->lzma.is_match' is
> >       uint16_t is_match[STATES][POS_STATES_MAX]
> > where 'STATES' is '#define STATES 12' and 'POS_STATES_MAX' is '#define POS_STATES_MAX (1 << 4)'.
> >
> > So I think the checker has a point.
>
> The loop treats the part of the structure from is_match to the end as
> a single array of PROBS_TOTAL uint16_t (which it is, in effect).

Correct. The comment in the code tries to say it too:

    * All probabilities are initialized to the same value. This hack
    * makes the code smaller by avoiding a separate loop for each
    * probability array.

So there is no bug.

-- 
Lasse Collin  |  IRC: Larhzu @ IRCnet & Freenode

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-01-24 13:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-22 20:41 Possible array overrun in lzma_reset() Jesper Juhl
2011-01-22 22:22 ` Andreas Schwab
2011-01-24 13:19   ` Lasse Collin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).