diff options
| author | Andrew Waterman <andrew@sifive.com> | 2024-08-27 16:55:16 -0700 |
|---|---|---|
| committer | Andrew Waterman <andrew@sifive.com> | 2024-08-27 16:55:16 -0700 |
| commit | eb85c33899ea06a7011d857375282926243442dd (patch) | |
| tree | 7fe7bb8b4876b173acdb46a55778f1d6fe422e7e | |
| parent | 1b33b5426ba878555fbe87a26865fc42d26488ce (diff) | |
| download | riscv-isa-sim-eb85c33899ea06a7011d857375282926243442dd.zip riscv-isa-sim-eb85c33899ea06a7011d857375282926243442dd.tar.gz riscv-isa-sim-eb85c33899ea06a7011d857375282926243442dd.tar.bz2 | |
Check size_t bounds overflow in create_mem_region
| -rw-r--r-- | riscv/cfg.cc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/riscv/cfg.cc b/riscv/cfg.cc index 8763240..2f9a229 100644 --- a/riscv/cfg.cc +++ b/riscv/cfg.cc @@ -18,13 +18,15 @@ bool mem_cfg_t::check_if_supported(reg_t base, reg_t size) // the regions in the first place, but we have them here to make sure that // we can't end up describing memory regions that don't make sense. They // ask that the page size is a multiple of the minimum page size, that the - // page is aligned to the minimum page size, that the page is non-empty and - // that the top address is still representable in a reg_t. + // page is aligned to the minimum page size, that the page is non-empty, + // that the size doesn't overflow size_t, and that the top address is still + // representable in a reg_t. // // Note: (base + size == 0) part of the assertion is to handle cases like // { base = 0xffff_ffff_ffff_f000, size: 0x1000 } return (size % PGSIZE == 0) && (base % PGSIZE == 0) && + (size_t(size) == size) && (size > 0) && ((base + size > base) || (base + size == 0)); } |