Fix broken pointer overflow check ns_name_unpack() Many compilers may optimize away the overflow check `msg + l < msg', where `msg' is a pointer and `l' is an integer, because pointer overflow is undefined behavior in C. Use a safe precondition test `l >= eom - msg' instead. Bug: 13219633 Change-Id: I3fca2125834073cc36d7e9c4e586e97842265a59

commit: 85c5202a64e3cb63e54550fca7bb11f24b9d12cc [log] [tgz]
author: Calin Juravle <calin@google.com> Thu Mar 06 17:05:49 2014 +0000
committer: Calin Juravle <calin@google.com> Thu Mar 06 18:39:29 2014 +0000
tree: b43e02681bb813fa3cfff49b3da3366d224b7b4c
parent: fcb502e3ec032497bba7f8634fb214e0c05394d8 [diff]
diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 12bf029..e3759ab 100644
--- a/libc/dns/nameser/ns_name.c
+++ b/libc/dns/nameser/ns_name.c

@@ -473,11 +473,14 @@
 				_DIAGASSERT(__type_fit(int, srcp - src + 1));
 				len = (int)(srcp - src + 1);
 			}
-			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
-			if (srcp < msg || srcp >= eom) {  /* Out of range. */
+			// BEGIN android-changed: safer pointer overflow check
+			l = (((n & 0x3f) << 8) | (*srcp & 0xff));
+			if (l >= eom - msg) {  /* Out of range. */
 				errno = EMSGSIZE;
 				return (-1);
 			}
+			srcp = msg + l;
+			// END android-changed
 			checked += 2;
 			/*
 			 * Check for loops in the compressed name;
commit	85c5202a64e3cb63e54550fca7bb11f24b9d12cc	[log] [tgz]
author	Calin Juravle <calin@google.com>	Thu Mar 06 17:05:49 2014 +0000
committer	Calin Juravle <calin@google.com>	Thu Mar 06 18:39:29 2014 +0000
tree	b43e02681bb813fa3cfff49b3da3366d224b7b4c
parent	fcb502e3ec032497bba7f8634fb214e0c05394d8 [diff]