On 9/26/17, 1:06 PM, "Dan Carpenter" <dan.carpenter@xxxxxxxxxx> wrote:
> Hello Nick Terrell,
>
> The patch 73f3d1b48f50: "lib: Add zstd modules" from Aug 9, 2017,
> leads to the following static checker warning:
>
> lib/zstd/zstd_opt.h:547 ZSTD_compressBlock_opt_generic()
> error: buffer overflow 'opt[cur - mlen].rep' 3 <= 3
>
> lib/zstd/zstd_opt.h
> 537
> 538 mlen = opt[cur].mlen;
> 539 if (opt[cur].off > ZSTD_REP_MOVE_OPT) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> The checker is complaining that assume "opt[cur].off == ZSTD_REP_MOVE_OPT".
>
> 540 opt[cur].rep[2] = opt[cur - mlen].rep[1];
> 541 opt[cur].rep[1] = opt[cur - mlen].rep[0];
> 542 opt[cur].rep[0] = opt[cur].off - ZSTD_REP_MOVE_OPT;
> 543 } else {
> 544 opt[cur].rep[2] = (opt[cur].off > 1) ? opt[cur - mlen].rep[1] : opt[cur - mlen].rep[2];
> 545 opt[cur].rep[1] = (opt[cur].off > 0) ? opt[cur - mlen].rep[0] : opt[cur - mlen].rep[1];
> 546 opt[cur].rep[0] =
> 547 ((opt[cur].off == ZSTD_REP_MOVE_OPT) && (mlen != 1)) ? (opt[cur - mlen].rep[0] - 1) : (opt[cur - mlen].rep[opt[cur].off]);
> ^^^^^^^^^^^^^^^^^
> also we have to assume "mlen == 1" then opt[cur - mlen].rep[opt[cur].off]
> is reading one element beyond the end of the array. It's possible that
> both conditions can't be true but static analysis tools get annoyed when
> we have impossible conditions.
Thanks for the report! I'm not certain if both conditions can be true or
not. I'll investigate tomorrow and post an update, with a patch if
necessary.
>
> 548 }
> 549
>
> regards,
> dan carpenter
Best,
Nick Terrell
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
