Re: Possible array overrun in lzma_reset()

From: Lasse Collin
Date: Mon Jan 24 2011 - 08:29:21 EST


On 2011-01-23 Andreas Schwab wrote:
> Jesper Juhl <jj@xxxxxxxxxxxxx> writes:
>
> > 787 probs = s->lzma.is_match[0];
> > At conditional (1): "i < 14134UL" taking true path
> > At conditional (2): "i < 14134UL" taking true path
> > At conditional (3): "i < 14134UL" taking true path
> > 788 for (i = 0; i < PROBS_TOTAL; ++i)
> > Event overrun-local: Overrunning static array of size 32 bytes at byte position 28266 by indexing pointer "probs" with index variable "i".
> > Event overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun.
> > 789 probs[i] = RC_BIT_MODEL_TOTAL / 2;
> > ...
> >
> > I looked into the report and found that 's->lzma.is_match' is
> > uint16_t is_match[STATES][POS_STATES_MAX]
> > where 'STATES' is '#define STATES 12' and 'POS_STATES_MAX' is '#define POS_STATES_MAX (1 << 4)'.
> >
> > So I think the checker has a point.
>
> The loop treats the part of the structure from is_match to the end as
> a single array of PROBS_TOTAL uint16_t (which it is, in effect).

Correct. The comment in the code tries to say it too:

* All probabilities are initialized to the same value. This hack
* makes the code smaller by avoiding a separate loop for each
* probability array.

So there is no bug.

--
Lasse Collin | IRC: Larhzu @ IRCnet & Freenode
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/