oss-sec mailing list archives
Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling
From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 17 Aug 2018 06:33:12 -0400
On Fri, Aug 17, 2018 at 5:43 AM, Frediano Ziglio <fziglio () redhat com> wrote:
On 08/17/2018 02:51 AM, Doran Moppert wrote:+ if (SPICE_UNLIKELY((start + 2) > message_end)) { + goto error; + }These checks are still technically invalid because start + 2 is not a valid pointer if it points past the allocated object.Technical but not real. Unless it wraps is correct...
I believe Florian is correct. I think the most freedom you are allowed is to access one beyond the "end" of the array; otherwise it is undefined behavior. The compiler is free to remove the code or dragons can fly out your nose. Jeff
Current thread:
- spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Doran Moppert (Aug 16)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Florian Weimer (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Frediano Ziglio (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Jeffrey Walton (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Frediano Ziglio (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Florian Weimer (Aug 17)