* [PATCH-for-5.2 v2] util/cutils: Fix Coverity array overrun in freq_to_str()
@ 2020-11-01 21:54 Philippe Mathieu-Daudé
0 siblings, 0 replies; only message in thread
From: Philippe Mathieu-Daudé @ 2020-11-01 21:54 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Luc Michel, Eduardo Habkost,
Philippe Mathieu-Daudé,
Alistair Francis, Richard Henderson
Rewrite the iteration to avoid an array overrun. This fixes
CID 1435957: Memory - illegal accesses (OVERRUN):
>>> Overrunning array "suffixes" of 7 8-byte elements at element
index 7 (byte offset 63) using index "idx" (which evaluates to 7).
Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
which is ~18.446 EHz, less than 1000 EHz.
Reported-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Supersedes: <20201029185506.1241912-1-f4bug@amsat.org>
---
util/cutils.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/util/cutils.c b/util/cutils.c
index c395974fab4..723051da6e8 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -889,11 +889,13 @@ char *freq_to_str(uint64_t freq_hz)
{
static const char *const suffixes[] = { "", "K", "M", "G", "T", "P", "E" };
double freq = freq_hz;
- size_t idx = 0;
+ size_t idx;
- while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
+ for (idx = 0; idx < ARRAY_SIZE(suffixes) - 1; idx++) {
+ if (freq < 1000.0) {
+ break;
+ }
freq /= 1000.0;
- idx++;
}
return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
--
2.26.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-01 21:55 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-01 21:54 [PATCH-for-5.2 v2] util/cutils: Fix Coverity array overrun in freq_to_str() Philippe Mathieu-Daudé
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.