Fix out-of-bounds memory write in speed.cc.

Windows x64 uses the IL32P64 data model, which means that unsigned int is 32 bits and size_t is 64 bits. Previously, the expression |~(alignment - 1)| resulted in the 32-bit value 0xFFFFFFF0, which was then extended to the 64-bit value 0x00000000FFFFFFF0 when promoted to size_t. When the input pointer was masked with this value, the result was a pointer that was usually way outside the boundaries of the array. The new code casts |alignment| to size_t first prior to the bitwise negation, resulting in the correct mask value of 0xFFFFFFFFFFFFFFF0. Change-Id: I04754aa9e1ce7a615c2b4c74051cfcca38dbb52f Reviewed-on: https://boringssl-review.googlesource.com/3961 Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 00:37:06 -10:00 · 2015-03-17 00:37:06 -10:00 · d53b2c3c88
commit d53b2c3c88
parent 4df48dd30f
1 changed files with 2 additions and 1 deletions
--- a/tool/speed.cc
+++ b/tool/speed.cc
@ -175,7 +175,8 @@ struct free_functor {

 static uint8_t *align(uint8_t *in, unsigned alignment) {
  return reinterpret_cast<uint8_t *>(
-      (reinterpret_cast<uintptr_t>(in) + alignment) & ~(alignment - 1));
+      (reinterpret_cast<uintptr_t>(in) + alignment) &
+      ~static_cast<size_t>(alignment - 1));
 }

 static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,