public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* libiberty sha1.c: bug in adding 64-bit number to 64-bit number (binutils-2.22.90)
@ 2012-09-18 0:13 Geoff Pike
2012-09-18 7:43 ` Florian Weimer
0 siblings, 1 reply; 2+ messages in thread
From: Geoff Pike @ 2012-09-18 0:13 UTC (permalink / raw)
To: gcc-bugs
Hello libiberty experts,
I don't see anything saying that sha1_process_block() has a size limit
on its input buffer, and if the length of the buffer is big (e.g.,
2^32 on a 64-bit machine) then this code won't correctly add a 64-bit
number to 64-bit number:
/* First increment the byte count. RFC 1321 specifies the possible
length of the file up to 2^64 bits. Here we only compute the
number of bytes. Do a double word increment. */
ctx->total[0] += len;
if (ctx->total[0] < len)
++ctx->total[1];
The above is at sha1.c around line 302.
regards,
Geoff Pike
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: libiberty sha1.c: bug in adding 64-bit number to 64-bit number (binutils-2.22.90)
2012-09-18 0:13 libiberty sha1.c: bug in adding 64-bit number to 64-bit number (binutils-2.22.90) Geoff Pike
@ 2012-09-18 7:43 ` Florian Weimer
0 siblings, 0 replies; 2+ messages in thread
From: Florian Weimer @ 2012-09-18 7:43 UTC (permalink / raw)
To: Geoff Pike; +Cc: gcc-bugs
On 09/18/2012 02:13 AM, Geoff Pike wrote:
> Hello libiberty experts,
>
> I don't see anything saying that sha1_process_block() has a size limit
> on its input buffer, and if the length of the buffer is big (e.g.,
> 2^32 on a 64-bit machine) then this code won't correctly add a 64-bit
> number to 64-bit number:
>
> /* First increment the byte count. RFC 1321 specifies the possible
> length of the file up to 2^64 bits. Here we only compute the
> number of bytes. Do a double word increment. */
> ctx->total[0] += len;
> if (ctx->total[0] < len)
> ++ctx->total[1];
>
> The above is at sha1.c around line 302.
I'm not sure if many people read the gcc-bugs list, it's mainly fed from
Bugzilla. Better file a bug.
After a quick look at the code, I'm wondering if the ~63 is properly
sign-extended and then converted to size_t:
sha1_process_block (buffer, len & ~63, ctx);
This should work, but it looks a bit fishy.
--
Florian Weimer / Red Hat Product Security Team
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-09-18 7:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-09-18 0:13 libiberty sha1.c: bug in adding 64-bit number to 64-bit number (binutils-2.22.90) Geoff Pike
2012-09-18 7:43 ` Florian Weimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).