diff options
author | Marcel Hollerbach <marcel-hollerbach@t-online.de> | 2017-05-08 20:49:11 +0200 |
---|---|---|
committer | Marcel Hollerbach <marcel-hollerbach@t-online.de> | 2017-05-08 21:28:35 +0200 |
commit | 8c93898c38f0f8cdf74f9a5fc7eeaaf94b1d981f (patch) | |
tree | 5e69d0519563e88fd73b6cc78ed7d5b39112067b | |
parent | 13a9a508cec5765e2265670b5f3d7c8ebbdcedc0 (diff) | |
download | efl-devs/bu5hm4n/overflow_checks.tar.gz |
eina_hash: fix possible issuedevs/bu5hm4n/overflow_checks
As seen in ed84d7d9007b297c00540f38bc07422a3be7267c, values can
overflow.
This here is a signed integer, and the hash can come from a user and
gets right shifted by a value between 2 and 17 bits, this could result
in a maximum big integer in one hash head, but a 0 in the other hash
head. This means the operation:
left->hash - right->hash could overflow.
This can be worked arround with changing
(left->hash - right->hash < 0)
to
left->hash < right->hash
This is not overflowting,because jmg can handle two 32bit words
-rw-r--r-- | src/lib/eina/eina_hash.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/lib/eina/eina_hash.c b/src/lib/eina/eina_hash.c index b2d338d832..3872ac32b1 100644 --- a/src/lib/eina/eina_hash.c +++ b/src/lib/eina/eina_hash.c @@ -158,7 +158,12 @@ _eina_hash_hash_rbtree_cmp_hash(const Eina_Hash_Head *hash_head, EINA_UNUSED int key_length, EINA_UNUSED void *data) { - return hash_head->hash - *hash; + if (hash_head->hash < *hash) + return -1; + else if (hash_head->hash == *hash) + return 0; + else + return 1; } static Eina_Rbtree_Direction @@ -166,7 +171,7 @@ _eina_hash_hash_rbtree_cmp_node(const Eina_Hash_Head *left, const Eina_Hash_Head *right, EINA_UNUSED void *data) { - if (left->hash - right->hash < 0) + if (left->hash < right->hash) return EINA_RBTREE_LEFT; return EINA_RBTREE_RIGHT; |