diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2015-03-16 08:04:26 +0000 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2015-03-16 08:04:26 +0000 |
| commit | ee842385add4cc5026a668d2cecdd42ebfd94ac5 (patch) | |
| tree | c5756e7863876c211014b563ea1fa14755a078b0 /llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp | |
| parent | d63436fb2e221535e95f42b0fb3b8124e880f45b (diff) | |
| download | bcm5719-llvm-ee842385add4cc5026a668d2cecdd42ebfd94ac5.tar.gz bcm5719-llvm-ee842385add4cc5026a668d2cecdd42ebfd94ac5.zip | |
asan: fix overflows in isSafeAccess
As pointed out in http://reviews.llvm.org/D7583
The current checks can cause overflows when object size/access offset cross Quintillion bytes.
http://reviews.llvm.org/D8193
llvm-svn: 232358
Diffstat (limited to 'llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp')
| -rw-r--r-- | llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp index e2d7a6de4e1..c9130925f51 100644 --- a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp +++ b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp @@ -2051,12 +2051,12 @@ bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr, uint64_t TypeSize) const { SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr); if (!ObjSizeVis.bothKnown(SizeOffset)) return false; - int64_t Size = SizeOffset.first.getSExtValue(); + uint64_t Size = SizeOffset.first.getZExtValue(); int64_t Offset = SizeOffset.second.getSExtValue(); // Three checks are required to ensure safety: // . Offset >= 0 (since the offset is given from the base ptr) // . Size >= Offset (unsigned) // . Size - Offset >= NeededSize (unsigned) - return Offset >= 0 && Size >= Offset && - uint64_t(Size - Offset) >= TypeSize / 8; + return Offset >= 0 && Size >= uint64_t(Offset) && + Size - uint64_t(Offset) >= TypeSize / 8; } |
