On Oct 22, 2009, at 8:57 PM, Ted Kremenek wrote: > Author: kremenek > Date: Thu Oct 22 22:57:22 2009 > New Revision: 84925 > > URL: http://llvm.org/viewvc/llvm-project?rev=84925&view=rev > Log: > Fix integer overflow in PCHReader when reading the length of an > identifier. This caused a crash when reading PCH files that contained > long identifier names. > > The issue is that 'StrLenPtr' was previously a 'const char *', meaning > the byte loaded from it would be interpretted as a signed integer. If > the topmost bit was set, conversion to 'unsigned' would extend that > bit, causing an overflow. > > The solution is to make 'StrLenPtr' an 'unsigned char *', always > treating the value as an unsigned integer. > > This fixes: <rdar://problem/7328900> > > Modified: > cfe/trunk/lib/Frontend/PCHReader.cpp > > Modified: cfe/trunk/lib/Frontend/PCHReader.cpp > URL: > http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Frontend/PCHReader.cpp?rev=84925&r1=84924&r2=84925&view=diff > > = > = > = > = > = > = > = > = > ====================================================================== > --- cfe/trunk/lib/Frontend/PCHReader.cpp (original) > +++ cfe/trunk/lib/Frontend/PCHReader.cpp Thu Oct 22 22:57:22 2009 > @@ -2515,7 +2515,7 @@ > // All of the strings in the PCH file are preceded by a 16-bit > // length. Extract that 16-bit length to avoid having to execute > // strlen(). > - const char *StrLenPtr = Str - 2; > + const unsigned char *StrLenPtr = (const unsigned char*) Str - 2; > unsigned StrLen = (((unsigned) StrLenPtr[0]) > | (((unsigned) StrLenPtr[1]) << 8)) - 1; > IdentifiersLoaded[ID - 1]
That is really embarrassing. Thanks for tracking down and fixing my heinous bug :( - Doug _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
