diff options
author | Kostis Sagonas <[email protected]> | 2015-10-12 07:53:20 +0200 |
---|---|---|
committer | Kostis Sagonas <[email protected]> | 2015-10-12 07:53:20 +0200 |
commit | d94a8ef6dc136dd2eedf3c3ad4bc053ca8fdd1b0 (patch) | |
tree | a5e54dfd9d03b28ab6ede0cca054ad5892edaa2d /HOWTO | |
parent | 4f9905824002bebc33c2914669b4c364927cb0ee (diff) | |
download | otp-d94a8ef6dc136dd2eedf3c3ad4bc053ca8fdd1b0.tar.gz otp-d94a8ef6dc136dd2eedf3c3ad4bc053ca8fdd1b0.tar.bz2 otp-d94a8ef6dc136dd2eedf3c3ad4bc053ca8fdd1b0.zip |
Fix edge case of Size = 0 in bs_put_integer
copy_offset_int_big was assuming (Offset + Size - 1) (Tmp9 in the first
BB) would not underflow. It was also unconditionally reading and writing
the binary even when Size was zero, unlike copy_int_little, which is the
only other case of bs_put_integer that does not have a short-circuit on
Size = 0.
This was causing segfaults when constructing binaries starting with a
zero-length integer field, because a logical right shift was used to
compute an offset in bytes (which became 0x1fffffffffffffff) to read in
the binary.
Tests, taken from the emulator bs_construct_SUITE, were also added.
The complete credit for the report and the fix goes to Magnus Lång.
Diffstat (limited to 'HOWTO')
0 files changed, 0 insertions, 0 deletions