[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug: reading out of bounds in cint_array.c
From: |
Michael Builov |
Subject: |
Bug: reading out of bounds in cint_array.c |
Date: |
Mon, 13 Jan 2020 16:32:29 +0300 |
Hello.
I have just spotted a possible read beyond array bounds in
cint_array_init().
What if NHAT is defined as 30 in the environment?
The code:
static NODE **
cint_array_init(NODE *symbol, NODE *subs)
{
........
/* check relevant environment variables */
if ((newval = getenv_long("NHAT")) > 1 && newval < INT32_BIT)
NHAT = (unsigned) newval;
/* don't allow overflow off the end of the table */
if (NHAT >= nelems)
NHAT = nelems - 2;
THRESHOLD = power_two_table[NHAT + 1];
..........
}
INT32_BIT == 32
nelems == 31
so
THRESHOLD = power_two_table[30 + 1]; // reading out of bounds!
Best regards,
Michael M. Builov.
- Bug: reading out of bounds in cint_array.c,
Michael Builov <=