Fix broken pointer overflow check ns_name_unpack()
Many compilers may optimize away the overflow check `msg + l < msg',
where `msg' is a pointer and `l' is an integer, because pointer
overflow is undefined behavior in C.
Use a safe precondition test `l >= eom - msg' instead.
Bug: 13219633
Change-Id: I3fca2125834073cc36d7e9c4e586e97842265a59
diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 12bf029..e3759ab 100644
--- a/libc/dns/nameser/ns_name.c
+++ b/libc/dns/nameser/ns_name.c
@@ -473,11 +473,14 @@
_DIAGASSERT(__type_fit(int, srcp - src + 1));
len = (int)(srcp - src + 1);
}
- srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
- if (srcp < msg || srcp >= eom) { /* Out of range. */
+ // BEGIN android-changed: safer pointer overflow check
+ l = (((n & 0x3f) << 8) | (*srcp & 0xff));
+ if (l >= eom - msg) { /* Out of range. */
errno = EMSGSIZE;
return (-1);
}
+ srcp = msg + l;
+ // END android-changed
checked += 2;
/*
* Check for loops in the compressed name;