Skip to content

Commit

Permalink
darray.h: avoid UB when decrementing zero pointer
Browse files Browse the repository at this point in the history
Sometimes the `&(arr).item[(arr).size]` is a zero pointer. In these
cases decrementing this pointer aka `i` results in something like
0xfffffff8. This is UB, and UB sanitizer in particular reports it as

../iscsi/tcmu-runner/libtcmu.c:563:2: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffff8

In these cases size is `zero` as well, so fix this by simply not running
the cycle when the `size` is zero.

Signed-off-by: Konstantin Kharlamov <[email protected]>
  • Loading branch information
Hi-Angel committed Jul 28, 2019
1 parent cdd0b8b commit f463655
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions ccan/darray/darray.h
Original file line number Diff line number Diff line change
Expand Up @@ -310,8 +310,8 @@ static inline size_t darray_next_alloc(size_t alloc, size_t need)
*
* Like darray_foreach, but traverse in reverse order.
*/
#define darray_foreach_reverse(i, arr) \
for ((i) = &(arr).item[(arr).size]; (i)-- > &(arr).item[0]; )
#define darray_foreach_reverse(ptr, arr) \
for (size_t _i = 0; _i < (arr).size && ((ptr) = &(arr).item[(arr).size - _i]); ++_i)


#endif /* CCAN_DARRAY_H */
Expand Down

0 comments on commit f463655

Please sign in to comment.