8371647: 7 Integer overflows in mlib_malloc of mlib_sys.c:85 #28560
Conversation
|
👋 Welcome back dnguyen! A progress list of the required criteria for merging this PR into |
|
❗ This change is not yet ready to be integrated. |
|
|
||
| if (bsize > BUFF_SIZE) { | ||
| if (!SAFE_TO_MULT(bsize, (mlib_s32)sizeof(FTYPE))) return MLIB_FAILURE; | ||
|
|
||
| pbuff = mlib_malloc(sizeof(FTYPE)*bsize); |
There was a problem hiding this comment.
If mlib_malloc ends up in
void *__mlib_malloc(mlib_u32 size);
which I think it must do, because I can't find anything else,
then that accepts an unsigned 32 bit int, which makes sense because malloc accepts a size_t which is unsigned.
Note that sizeof() returns size_t too, so the multiplication result should be promoted to unsigned in the existing code, and preserved when passed as an arg.
But SAFE_TO_MULT will return a failure on overflow of signed arithmetic. So I think we need something different here so we don't reject cases which are actually OK. ie in at least cases like this, we want to detect overflow of 32 bit unsigned, not 32 bit signed.
2 participants
There is a possible overflow when using
mlib_alloc(). For example,mlib_alloc(sizeof(mlib_s32) * (m * n))may overflow if m and n are greater than 46430, since this would be greater than the max value for a signed 32 bit integer. I have addedSAFE_TO_ADDandSAFE_TO_MULTin an attempt to amend this issue. CI testing shows all green.Progress
Issue
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/28560/head:pull/28560$ git checkout pull/28560Update a local copy of the PR:
$ git checkout pull/28560$ git pull https://git.openjdk.org/jdk.git pull/28560/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 28560View PR using the GUI difftool:
$ git pr show -t 28560Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/28560.diff
Using Webrev
Link to Webrev Comment