Avoid ptrdiff between pointers to different allocations · 973dc9c06d - rapidjson - Darktea: Dark cup of Gitea (Gitea on the Dark Web)

Avoid ptrdiff between pointers to different allocations

When using running both Undefined Behavior Sanitizer (UBSan) and
Hardware-Assisted Address Sanitizer (HWASan) on Fuchsia, ubsan
complained about a pointer overflow when computing the new token->name pointer.
This happens because the initial pointer diff takes the offset between
two allocations with different tags, so the arithmetic results in a very
large diff that gets added to the original token->name ptr which
overflows.

Any arithmetic between pointers to two allocations is unspecified
behavior, so hwasan+ubsan is catching a bug here. It looks like
rapidjson is just attempting to update the name pointers to strings
copied into the new nameBuffer_ via this arithmetic, but since these
strings and the tokens are in the same buffer, the offset between them
should be the same. For each token we can just get this offset and
adjust the new name pointers accordingly which avoids the bad arithmetic.

This commit is contained in:

Leonard Chan

2023-05-09 21:31:22 +00:00

committed by

Milo Yip

parent 2a1f586ba6

commit 973dc9c06d

1 changed files with 10 additions and 4 deletions

									
										14

include/rapidjson/pointer.h

										View File
									
				@ -890,10 +890,16 @@ private:

				            std::memcpy(nameBuffer_, rhs.nameBuffer_, nameBufferSize * sizeof(Ch));

				        }

				        // Adjust pointers to name buffer

				        std::ptrdiff_t diff = nameBuffer_ - rhs.nameBuffer_;

				        for (Token *t = tokens_; t != tokens_ + rhs.tokenCount_; ++t)

				            t->name += diff;

				        // The names of each token point to a string in the nameBuffer_. The

				        // previous memcpy copied over string pointers into the rhs.nameBuffer_,

				        // but they should point to the strings in the new nameBuffer_.

				        for (size_t i = 0; i < rhs.tokenCount_; ++i) {

				          // The offset between the string address and the name buffer should

				          // still be constant, so we can just get this offset and set each new

				          // token name according the new buffer start + the known offset.

				          std::ptrdiff_t name_offset = rhs.tokens_[i].name - rhs.nameBuffer_;

				          tokens_[i].name = nameBuffer_ + name_offset;

				        }

				        return nameBuffer_ + nameBufferSize;

				    }