On 11/01/14 13:46, Denys Vlasenko wrote: > On Fri, Jan 10, 2014 at 7:42 PM, Ryan Mallon <[email protected]> wrote: >>> +22 bytes on x86 :/ >>> >>> How about this? >>> >>> p += len; >>> sz -= len; >>> - if ((int)sz < 0 >>> + if ( >>> + /** (int)sz < 0 - not good enough for huge malicious >>> VALUE of 2^32-1 */ >>> + (int)(sz|len) < 0 /* this works */ >>> || len == 0 >>> || errno != EINVAL >>> || *end != ' ' >> >> >> That doesn't work. Try: >> >> sz = 512 >> len = 0x7fffffff >> >> Will result in sz being set to 0x7ffffdff and passing the check. > > No, it won't: > > $ echo 'int main(){printf("%d\n", 512 - 0x7fffffff);}' | gcc -xc - && ./a.out > <stdin>: In function ‘main’: > <stdin>:1:12: warning: incompatible implicit declaration of built-in > function ‘printf’ [enabled by default] > -2147483135 > > $ echo 'int main(){printf("%d\n", (512 - 0x7fffffff) | 0x7fffffff);}' > | gcc -xc - && ./a.out > <stdin>: In function ‘main’: > <stdin>:1:12: warning: incompatible implicit declaration of built-in > function ‘printf’ [enabled by default] > -1
Oops, I got len and sz backwards when I was checking it :-/. Your version is correct I think. ~Ryan _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
