On Fri, Jan 10, 2014 at 7:42 PM, Ryan Mallon <[email protected]> wrote:
>> +22 bytes on x86 :/
>>
>> How about this?
>>
>> p += len;
>> sz -= len;
>> - if ((int)sz < 0
>> + if (
>> + /** (int)sz < 0 - not good enough for huge malicious
>> VALUE of 2^32-1 */
>> + (int)(sz|len) < 0 /* this works */
>> || len == 0
>> || errno != EINVAL
>> || *end != ' '
>
>
> That doesn't work. Try:
>
> sz = 512
> len = 0x7fffffff
>
> Will result in sz being set to 0x7ffffdff and passing the check.
No, it won't:
$ echo 'int main(){printf("%d\n", 512 - 0x7fffffff);}' | gcc -xc - && ./a.out
<stdin>: In function ‘main’:
<stdin>:1:12: warning: incompatible implicit declaration of built-in
function ‘printf’ [enabled by default]
-2147483135
$ echo 'int main(){printf("%d\n", (512 - 0x7fffffff) | 0x7fffffff);}'
| gcc -xc - && ./a.out
<stdin>: In function ‘main’:
<stdin>:1:12: warning: incompatible implicit declaration of built-in
function ‘printf’ [enabled by default]
-1
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
