[CRIU] [PATCH] zdtm: avoid arithmetic overflow in datagen and datachk

[Andrei Vagin]

From: Andrei Vagin <avagin at virtuozzo.com>

p + FAST_SIZE > buffer + length

In this sentence p + FAST_SIZE may be bigger than (1<<32),
and we will be in trouble.

$ gdb -c coredump test/zdtm/static/write_read01

(gdb) p p
$3 = (uint8_t *) 0xffffa89e
(gdb) p buffer
$4 = (uint8_t *) 0xfff06780
(gdb) p length
$5 = 1000000

Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
---
 test/zdtm/lib/datagen.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/test/zdtm/lib/datagen.c b/test/zdtm/lib/datagen.c
index 550339c40..83fbea285 100644
--- a/test/zdtm/lib/datagen.c
+++ b/test/zdtm/lib/datagen.c
@@ -14,42 +14,42 @@
 
 static void datagen_fast(uint8_t *buffer, unsigned length, uint32_t *crc)
 {
-	uint8_t *p;
+	size_t off;
 
 	datagen(buffer, FAST_SIZE, crc);
-	p = buffer + FAST_SIZE;
+	off = FAST_SIZE;
 
-	while (p < buffer + length) {
+	while (off < length) {
 		unsigned long size = FAST_SIZE;
 
-		if (p + FAST_SIZE > buffer + length)
-			size = buffer + length - p;
-		memcpy(p, buffer, size);
+		if (off + FAST_SIZE > length)
+			size = length - off;
+		memcpy(buffer + off, buffer, size);
 
-		p += FAST_SIZE;
+		off += size;
 	}
 }
 
 static int datachk_fast(const uint8_t *buffer, unsigned length, uint32_t *crc)
 {
-	const uint8_t *p;
+	size_t off;
 
 	if (datachk(buffer, FAST_SIZE, crc))
 		return 1;
 
-	p = buffer + FAST_SIZE;
+	off = FAST_SIZE;
 
-	while (p < buffer + length) {
+	while (off < length) {
 		unsigned long size = FAST_SIZE;
 
-		if (p + FAST_SIZE > buffer + length)
-			size = buffer + length - p;
+		if (off + FAST_SIZE > length)
+			size = length - off;
 
-		if (memcmp(p, buffer, size)) {
-			test_msg("Memory corruption [%p, %p]\n", p, p + size);
+		if (memcmp(buffer + off, buffer, size)) {
+			test_msg("Memory corruption [%p, %p]\n", buffer, buffer + size);
 			return 1;
 		}
-		p += FAST_SIZE;
+		off += size;
 	}
 
 	return 0;
-- 
2.13.3