Fix out-of-bounds memory write in speed.cc.

Windows x64 uses the IL32P64 data model, which means that unsigned int is 32 bits and size_t is 64 bits. Previously, the expression |~(alignment - 1)| resulted in the 32-bit value 0xFFFFFFF0, which was then extended to the 64-bit value 0x00000000FFFFFFF0 when promoted to size_t. When the input pointer was masked with this value, the result was a pointer that was usually way outside the boundaries of the array. The new code casts |alignment| to size_t first prior to the bitwise negation, resulting in the correct mask value of 0xFFFFFFFFFFFFFFF0. Change-Id: I04754aa9e1ce7a615c2b4c74051cfcca38dbb52f Reviewed-on: https://boringssl-review.googlesource.com/3961 Reviewed-by: Adam Langley <agl@google.com>
author: Brian Smith <brian@briansmith.org> 2015-03-17 13:37:06 +0300
committer: Adam Langley <agl@google.com> 2015-03-17 22:12:54 +0300
commit: d53b2c3c88e6044ce26df51d48ca6fd02023230a (patch)
tree: b87ee4185d4f9cc38dc04a9747ceedc322a1082c /tool
parent: 4df48dd30fceb6615389bb12f160eb5d57c8df99 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/tool/speed.cc b/tool/speed.cc
index 2df6f901..dbaaf465 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -175,7 +175,8 @@ struct free_functor {
 
 static uint8_t *align(uint8_t *in, unsigned alignment) {
   return reinterpret_cast<uint8_t *>(
-      (reinterpret_cast<uintptr_t>(in) + alignment) & ~(alignment - 1));
+      (reinterpret_cast<uintptr_t>(in) + alignment) &
+      ~static_cast<size_t>(alignment - 1));
 }
 
 static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,
author	Brian Smith <brian@briansmith.org>	2015-03-17 13:37:06 +0300
committer	Adam Langley <agl@google.com>	2015-03-17 22:12:54 +0300
commit	d53b2c3c88e6044ce26df51d48ca6fd02023230a (patch)
tree	b87ee4185d4f9cc38dc04a9747ceedc322a1082c /tool
parent	4df48dd30fceb6615389bb12f160eb5d57c8df99 (diff)