Fix a not properly handled pointer comparison that caused UB
The if condition in gatekeeper_messages.cpp read_from_buffer
"if(buffer_end > end || buffer_end <= *buffer)" is not
properly handled
The (buffer_end < *buffer) is gone while run, which lead to UB.
It's easy reproduce in 32-bit mode in GARBAGE_TEST(VerifyRequest).
Test: mm -j8
gatekeeper_messages_test GARBAGE_TEST(VerifyRequest)
Change-Id: I1bc2ab006788a7d387f9dd99d1bcb8edb45e04fe
diff --git a/gatekeeper_messages.cpp b/gatekeeper_messages.cpp
index fc76d5e..41972bb 100644
--- a/gatekeeper_messages.cpp
+++ b/gatekeeper_messages.cpp
@@ -52,8 +52,8 @@
memcpy(&target->length, *buffer, sizeof(target->length));
*buffer += sizeof(target->length);
if (target->length != 0) {
- const uint8_t *buffer_end = *buffer + target->length;
- if (buffer_end > end || buffer_end <= *buffer) return ERROR_INVALID;
+ const size_t buffer_size = end - *buffer;
+ if (buffer_size < target->length) return ERROR_INVALID;
target->buffer.reset(new uint8_t[target->length]);
memcpy(target->buffer.get(), *buffer, target->length);