From 4273a5edc862bd5f620ad0c7f11d20cd040e005c Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Wed, 24 Jul 2024 21:18:40 -0400 Subject: [PATCH] connection: Avoid undefined pointer arithmetic Creating a pointer that is more than one element past the end of an array is undefined behavior, even if the pointer is not dereferenced. Avoid this undefined behavior by using `p >= end` instead of `p + 1 > end` and `SOMETHING > end - p` instead of `p + SOMETHING > end`. Signed-off-by: Demi Marie Obenour --- src/connection.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/connection.c b/src/connection.c index 6b28d21d..1177d667 100644 --- a/src/connection.c +++ b/src/connection.c @@ -928,7 +928,7 @@ wl_connection_demarshal(struct wl_connection *connection, for (i = 0; i < count; i++) { signature = get_next_argument(signature, &arg); - if (arg.type != WL_ARG_FD && p + 1 > end) { + if (arg.type != WL_ARG_FD && p >= end) { wl_log("message too short, " "object (%d), message %s(%s)\n", closure->sender_id, message->name, @@ -1351,7 +1351,7 @@ serialize_closure(struct wl_closure *closure, uint32_t *buffer, if (arg.type == WL_ARG_FD) continue; - if (p + 1 > end) + if (p >= end) goto overflow; switch (arg.type) { @@ -1379,7 +1379,7 @@ serialize_closure(struct wl_closure *closure, uint32_t *buffer, size = strlen(closure->args[i].s) + 1; *p++ = size; - if (p + div_roundup(size, sizeof *p) > end) + if (div_roundup(size, sizeof *p) > (uint32_t)(end - p)) goto overflow; memcpy(p, closure->args[i].s, size); @@ -1394,7 +1394,7 @@ serialize_closure(struct wl_closure *closure, uint32_t *buffer, size = closure->args[i].a->size; *p++ = size; - if (p + div_roundup(size, sizeof *p) > end) + if (div_roundup(size, sizeof *p) > (uint32_t)(end - p)) goto overflow; if (size != 0)