[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] tcg: Fix the overflow in indexing tcg_ctx->temps
|
From: |
Richard Henderson |
|
Subject: |
Re: [PATCH] tcg: Fix the overflow in indexing tcg_ctx->temps |
|
Date: |
Thu, 18 Apr 2024 07:58:13 -0700 |
|
User-agent: |
Mozilla Thunderbird |
On 4/18/24 03:27, Zhiwei Jiang wrote:
Sometimes, when the address of the passed TCGTemp *ts variable is the same as
tcg_ctx,
Pardon? When would TCGTemp *ts == TCGContext *tcg_ctx?
the index calculated in the temp_idx function, i.e., ts - tcg_ctx->temps,
can result in a particularly large value, causing overflow in the subsequent
array access.
Or, assert:
size_t temp_idx(TCGTemp *ts)
{
ptrdiff_t n = ts - tcg_ctx->temps;
assert(n >= 0 && n < tcg_ctx->nb_temps);
return n;
}
static inline TCGTemp *tcgv_i32_temp(TCGv_i32 v)
{
- return (void *)tcg_ctx + (uintptr_t)v;
+ return (void *)tcg_ctx->temps + (uintptr_t)v;
}
This will generate 0 for the first temp, which will test as NULL.
r~