Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling

[Jeffrey Walton <noloader () gmail com>]

On Fri, Aug 17, 2018 at 5:43 AM, Frediano Ziglio <fziglio () redhat com> wrote:
> > On 08/17/2018 02:51 AM, Doran Moppert wrote:
> > >      +        if (SPICE_UNLIKELY((start + 2) > message_end)) {
> > >      +            goto error;
> > >      +        }
> >
> > These checks are still technically invalid because start + 2 is not a
> > valid pointer if it points past the allocated object.
> Technical but not real. Unless it wraps is correct...

I believe Florian is correct. I think the most freedom you are allowed
is to access one beyond the "end" of the array; otherwise it is
undefined behavior. The compiler is free to remove the code or dragons
can fly out your nose.

Jeff