On 1/13/2026 7:56 PM, Timur Tabi wrote: > On Mon, 2026-01-12 at 19:00 -0500, Joel Fernandes wrote: >> Since this subtraction's values comes from fw, it would be good to use >> checked_sub(). Otherwise, this could: >> >> 1. blow up if overflow checking is enabled. >> 2. len can underflow and be entirely plausible but incorrect, causing >> unpredictable failures. >> >> I am fixing other similar existing issues in nova-core as well but since this >> patch is in flight, it'd be great to fix it in the next posting (it sounds >> like >> there will be a next posting). > > I'll make this fix for v6, but stuff like this is why I think the > constructors for these objects > should verify the bits of the images in fw, and return a Result<> if they are > corrupted.
Yeah, makes sense. AFAIK, what is agreed on is if we are 100% sure of the values (have checked them before), then we don't need to use checked arithmetic again at these sites as it is redundant. Thanks.
