fpFD_SET performs out of bounds write
Original Reporter info from Mantis: a.vasiliev
-
Reporter name: Artem Vasiliev
Original Reporter info from Mantis: a.vasiliev
- Reporter name: Artem Vasiliev
Description:
On x86_64 Linux machine:
culong = qword;
BITSINWORD = 8*sizeof(cuLong);
ln2bitsinword = 6
FD_MAXFDSET = 1024
TFDSet = ARRAY[0..(FD_MAXFDSET div BITSINWORD)-1] of cuLong;
In file "rtl/unix/genfdset.inc".
////////
function fpFD_SET(fdno:cint;var nset : TFDSet): cint;
Begin
if (fdno<0) or (fdno > FD_MAXFDSET) Then
exit(-1);
nset[fdno shr ln2bitsinword]:=nset[(fdno) shr ln2bitsinword] OR (TFDSetEl(1) shl ((fdno) and ln2bitmask));
fpFD_SET:=0;
End;
////////
If we pass fdno that is exactly 1024 this function won't finish program execution but will perform write out of array bounds causing undefined behavior. This happens because TFDSet has exactly 16 elements (idicies from 0 to 15) and "1024 shr ln2bitsinword" equals 16.
To fix this behavior the condition must be fixed to:
Begin
if (fdno<0) or (fdno >= FD_MAXFDSET) Then
...
End
Mantis conversion info:
- Mantis ID: 36229
- OS: Linux
- Platform: x86_64
- Fixed in revision: 43324 (#f7721cad)