Date: Sat, 22 Sep 2018 23:45:03 -0400 From: Rich Felker <dalias@...c.org> To: musl@...ts.openwall.com Subject: Re: un-UBify-strings On Sat, Sep 22, 2018 at 11:15:02PM -0400, Rich Felker wrote: > On Sun, Sep 23, 2018 at 03:10:14AM +0000, Pascal Cuoq wrote: > > > > On 23 Sep 2018, at 04:45, Rich Felker <dalias@...c.org<mailto:dalias@...c.org>> wrote: > > I'm also trying to fix the UB in > > address range checks for implementing memmove as memcpy, etc. Is this > > correct: > > > > if ((uintptr_t)s-(uintptr_t)d-n <= -2*n) return memcpy(d, s, n); > > > > ? > > > > It looks okay to me. You want to test whether > > (uintptr_t)s-(uintptr_t)d, computed as a mathematical integer, is > > between -n and n, and since uintptr_t is unsigned, you are using the > > well-known trick of aligning one of the bounds with 0 so that both > > inequalities can be tested in one instruction. > > Right. > > > It would seen more natural to me to work on the right-hand side of > > zero, that it, to compute (uintptr_t)s-(uintptr_t)d+n and to check > > whether that is <= 2*n (overlap) or > 2*n (no overlap). The > > generated code may even be one instruction shorter. Apart from that, > > as long as we have the hypothesis that n <= UINTPTR_MAX/2, I cannot > > immediately see any reason why it would not work. > > dist(s,d)==n is a no-overlap case. Otherwise I think this is correct > and we can use: > > if ((uintptr_t)s-(uintptr_t)d+n >= 2*n) return memcpy(d, s, n); > > Yes? BTW just below there's a conditional if (d<s) that, as far as I can tell, does not need any fixing. If we reach that point (if we don't just call memcpy for the non-overlapping case) then, assuming n is valid, d and s necessarily point into the same array, and therefore d<s is well-defined. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.