diff options
| author | Valentina Demiciseaux <vallyyyyy@proton.me> | 2026-02-14 23:46:26 +0000 |
|---|---|---|
| committer | Mattias Andrée <m@maandree.se> | 2026-02-15 01:47:02 +0100 |
| commit | 0121293f8de339d2c6d26da63a92f79cfff1b871 (patch) | |
| tree | 46256745396190d435ae980eef6e18289eaddea8 | |
| parent | Use ar(1)'s s-flag instead of invoking ranlib(1) (diff) | |
| download | libzahl-0121293f8de339d2c6d26da63a92f79cfff1b871.tar.gz libzahl-0121293f8de339d2c6d26da63a92f79cfff1b871.tar.bz2 libzahl-0121293f8de339d2c6d26da63a92f79cfff1b871.tar.xz | |
fix out of bounds read in zlsb()
prev scales i from num chars -> num bits, then indexes with it, causing
a page fault or reading garbage. scale i after the read instead.
here is a reproducer
#include <stdio.h>
#include "libzahl/zahl.h"
int
main(void)
{
z_t x;
zinit(x);
zsetu(x, 1);
zlsh(x, x, 2097153);
printf("used chars: expect 32769, have %lu\n", x->used);
size_t tz = zlsb(x);
printf("tz: expect 2097153, have %lu\n", tz);
}
| -rw-r--r-- | zahl/inlines.h | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/zahl/inlines.h b/zahl/inlines.h index 8cb9af2..43faacf 100644 --- a/zahl/inlines.h +++ b/zahl/inlines.h @@ -88,13 +88,13 @@ zsetu(z_t a, uint64_t b) ZAHL_INLINE size_t zlsb(z_t a) { - size_t i = 0; + size_t i = 0, j = 0; if (ZAHL_UNLIKELY(zzero(a))) return SIZE_MAX; for (; !a->chars[i]; i++); - i *= 8 * sizeof(zahl_char_t); - ZAHL_ADD_CTZ(i, a->chars[i]); - return i; + ZAHL_ADD_CTZ(j, a->chars[i]); + j += i * 8 * sizeof(zahl_char_t); + return j; } |