From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <15aabbdb3c4953608a4f19497b3bffb0@terzarima.net> To: 9fans@cse.psu.edu Subject: Re: [9fans] Bounds checking bug in fcall(2) functions From: Charles Forsyth Date: Fri, 9 Nov 2007 22:42:17 +0000 In-Reply-To: <815f4e4b0711091420n2f6e9607nab13575f356b78d0@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Topicbox-Message-UUID: f1712d6c-ead2-11e9-9d60-3106f5b1d025 > For example in convM2D() it sets ebuf as: > ebuf = buf + nbuf; > > and then checks if reads will go past ebuf. But ebuf will point to the > first byte after the buffer, so past ebuf will include the byte after > the buffer. So it can potentially try to read of write to one byte > past the buffer in all these functions. it would if it tries to access that byte but it doesn't in convM2D.c or convD2M.c it's checking that the resulting pointer after accessing the bytes will still be <= ebuf, which (i think) is correct.