From d53b2c3c88e6044ce26df51d48ca6fd02023230a Mon Sep 17 00:00:00 2001
From: Brian Smith <brian@briansmith.org>
Date: Tue, 17 Mar 2015 00:37:06 -1000
Subject: [PATCH] Fix out-of-bounds memory write in speed.cc.

Windows x64 uses the IL32P64 data model, which means that unsigned int
is 32 bits and size_t is 64 bits. Previously, the expression
|~(alignment - 1)| resulted in the 32-bit value 0xFFFFFFF0, which was
then extended to the 64-bit value 0x00000000FFFFFFF0 when promoted to
size_t. When the input pointer was masked with this value, the result
was a pointer that was usually way outside the boundaries of the array.

The new code casts |alignment| to size_t first prior to the bitwise
negation, resulting in the correct mask value of 0xFFFFFFFFFFFFFFF0.

Change-Id: I04754aa9e1ce7a615c2b4c74051cfcca38dbb52f
Reviewed-on: https://boringssl-review.googlesource.com/3961
Reviewed-by: Adam Langley <agl@google.com>
---
 tool/speed.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tool/speed.cc b/tool/speed.cc
index 2df6f901..dbaaf465 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -175,7 +175,8 @@ struct free_functor {
 
 static uint8_t *align(uint8_t *in, unsigned alignment) {
   return reinterpret_cast<uint8_t *>(
-      (reinterpret_cast<uintptr_t>(in) + alignment) & ~(alignment - 1));
+      (reinterpret_cast<uintptr_t>(in) + alignment) &
+      ~static_cast<size_t>(alignment - 1));
 }
 
 static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,