Fixing a buffer overflow bug where a pointer to type of size 1 is reinterpret-casted into a pointer to bigger type, then dereferenced.

kevcadieux · kevcadieux · commit 77149881309b · 2021-05-10T23:08:51.000-07:00
diff --git a/lib/Common/DataStructures/FixedBitVector.h b/lib/Common/DataStructures/FixedBitVector.h
@@ -250,9 +250,10 @@ void BVFixed::SetRange(Container* value, BVIndex start, BVIndex len)
     BVUnit::BVUnitTContainer* bits;
     static_assert(sizeof(Container) == 1 || sizeof(Container) == sizeof(BVUnit::BVUnitTContainer),
         "Container is not suitable to represent the calculated value");
-    if (sizeof(BVUnit::BVUnitTContainer) == 1)
+    if (sizeof(Container) == 1)
     {
-        temp = *((BVUnit::BVUnitTContainer*)value);
+        static_assert(sizeof(byte) == 1, "Size of byte should be 1.");
+        temp = *(byte*)value;
         bits = &temp;
     }
     else

Original file line number	Diff line number	Diff line change
`@@ -250,9 +250,10 @@ void BVFixed::SetRange(Container* value, BVIndex start, BVIndex len)`
`250`	`250`	`BVUnit::BVUnitTContainer* bits;`
`251`	`251`	`static_assert(sizeof(Container) == 1 \|\| sizeof(Container) == sizeof(BVUnit::BVUnitTContainer),`
`252`	`252`	`"Container is not suitable to represent the calculated value");`
`253`		`- if (sizeof(BVUnit::BVUnitTContainer) == 1)`
	`253`	`+ if (sizeof(Container) == 1)`
`254`	`254`	`{`
`255`		`- temp = ((BVUnit::BVUnitTContainer)value);`
	`255`	`+ static_assert(sizeof(byte) == 1, "Size of byte should be 1.");`
	`256`	`+ temp = (byte)value;`
`256`	`257`	`bits = &temp;`
`257`	`258`	`}`
`258`	`259`	`else`