On Thu, Oct 17, 2024 at 09:54:47PM +0200, Kees Bakker wrote: > The code was basically like this (assuming size_t can be u64) > var_u64 |= var_u8 << 24 > var_u8 is first promoted to i32 and then the shift is done. Next, it is > promoted to u64 by first signextending to 64 bits. This is very unlikely > what was intended. So now it is first forced to u32. > var_u64 |= (u32)var_u8 << 24 > > Signed-off-by: Kees Bakker <kees@xxxxxxxxxxxx> Very good. I'm trying to figure out the impact of this bug. We'd have to write more than INT_MAX bytes to hit this. And I think we're pretty screwed either way if we manage to do that... Still, it probably deserves a Fixes tag. Could you add a Fixes tag and resend? Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> regards, dan carpenter
