On 17/10/24 14:51, Dan Carpenter wrote:
On Thu, Oct 17, 2024 at 09:54:47PM +0200, Kees Bakker wrote:The code was basically like this (assuming size_t can be u64) var_u64 |= var_u8 << 24 var_u8 is first promoted to i32 and then the shift is done. Next, it is promoted to u64 by first signextending to 64 bits. This is very unlikely what was intended. So now it is first forced to u32. var_u64 |= (u32)var_u8 << 24 Signed-off-by: Kees Bakker <kees@xxxxxxxxxxxx>Very good. I'm trying to figure out the impact of this bug. We'd have to write more than INT_MAX bytes to hit this. And I think we're pretty screwed either way if we manage to do that... Still, it probably deserves a Fixes tag. Could you add a Fixes tag and resend?
Plus, if this was "caught by Coverity", don't forget to briefly mention that in the changelog text. Thanks -- Gustavo
