commit 7f5c6593f298ebbef9d2a669118968ea3873aa9d
author Jinguang Dong <dongjinguang@huawei.com> Mon Mar 20 17:29:50 2017 +0800
committer liuchao <liuchao741@huawei.com> Thu Mar 23 15:19:33 2017 +0800
tree 3cb3eb550738b9ec4427562eccafd6e605fcfb72
parent 56509312054d667c83e168f01037556edba747a5

Fix a not properly handled pointer comparison that caused UB

The if condition in gatekeeper_messages.cpp read_from_buffer
"if(buffer_end > end || buffer_end <= *buffer)" is not
properly handled

The (buffer_end < *buffer) is gone while run, which lead to UB.
It's easy reproduce in 32-bit mode in GARBAGE_TEST(VerifyRequest).

Test: mm -j8
      gatekeeper_messages_test GARBAGE_TEST(VerifyRequest)

Change-Id: I1bc2ab006788a7d387f9dd99d1bcb8edb45e04fe

gatekeeper_messages.cpp

diff --git a/gatekeeper_messages.cpp b/gatekeeper_messages.cpp
index fc76d5e..41972bb 100644
--- a/gatekeeper_messages.cpp
+++ b/gatekeeper_messages.cpp
@@ -52,8 +52,8 @@
     memcpy(&target->length, *buffer, sizeof(target->length));
     *buffer += sizeof(target->length);
     if (target->length != 0) {
-        const uint8_t *buffer_end = *buffer + target->length;
-        if (buffer_end > end || buffer_end <= *buffer) return ERROR_INVALID;
+        const size_t buffer_size = end - *buffer;
+        if (buffer_size < target->length) return ERROR_INVALID;
 
         target->buffer.reset(new uint8_t[target->length]);
         memcpy(target->buffer.get(), *buffer, target->length);