Fix out-of-bounds memory write in speed.cc.

Windows x64 uses the IL32P64 data model, which means that unsigned int
is 32 bits and size_t is 64 bits. Previously, the expression
|~(alignment - 1)| resulted in the 32-bit value 0xFFFFFFF0, which was
then extended to the 64-bit value 0x00000000FFFFFFF0 when promoted to
size_t. When the input pointer was masked with this value, the result
was a pointer that was usually way outside the boundaries of the array.

The new code casts |alignment| to size_t first prior to the bitwise
negation, resulting in the correct mask value of 0xFFFFFFFFFFFFFFF0.

Change-Id: I04754aa9e1ce7a615c2b4c74051cfcca38dbb52f
Reviewed-on: https://boringssl-review.googlesource.com/3961
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
Brian Smith 2015-03-17 00:37:06 -10:00 committed by Adam Langley
parent 4df48dd30f
commit d53b2c3c88

View File

@ -175,7 +175,8 @@ struct free_functor {
static uint8_t *align(uint8_t *in, unsigned alignment) { static uint8_t *align(uint8_t *in, unsigned alignment) {
return reinterpret_cast<uint8_t *>( return reinterpret_cast<uint8_t *>(
(reinterpret_cast<uintptr_t>(in) + alignment) & ~(alignment - 1)); (reinterpret_cast<uintptr_t>(in) + alignment) &
~static_cast<size_t>(alignment - 1));
} }
static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name, static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,