diff options
author | Brian Smith <brian@briansmith.org> | 2015-03-17 13:37:06 +0300 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2015-03-17 22:12:54 +0300 |
commit | d53b2c3c88e6044ce26df51d48ca6fd02023230a (patch) | |
tree | b87ee4185d4f9cc38dc04a9747ceedc322a1082c /tool/speed.cc | |
parent | 4df48dd30fceb6615389bb12f160eb5d57c8df99 (diff) |
Fix out-of-bounds memory write in speed.cc.
Windows x64 uses the IL32P64 data model, which means that unsigned int
is 32 bits and size_t is 64 bits. Previously, the expression
|~(alignment - 1)| resulted in the 32-bit value 0xFFFFFFF0, which was
then extended to the 64-bit value 0x00000000FFFFFFF0 when promoted to
size_t. When the input pointer was masked with this value, the result
was a pointer that was usually way outside the boundaries of the array.
The new code casts |alignment| to size_t first prior to the bitwise
negation, resulting in the correct mask value of 0xFFFFFFFFFFFFFFF0.
Change-Id: I04754aa9e1ce7a615c2b4c74051cfcca38dbb52f
Reviewed-on: https://boringssl-review.googlesource.com/3961
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'tool/speed.cc')
-rw-r--r-- | tool/speed.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/tool/speed.cc b/tool/speed.cc index 2df6f901..dbaaf465 100644 --- a/tool/speed.cc +++ b/tool/speed.cc @@ -175,7 +175,8 @@ struct free_functor { static uint8_t *align(uint8_t *in, unsigned alignment) { return reinterpret_cast<uint8_t *>( - (reinterpret_cast<uintptr_t>(in) + alignment) & ~(alignment - 1)); + (reinterpret_cast<uintptr_t>(in) + alignment) & + ~static_cast<size_t>(alignment - 1)); } static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name, |