diff options
author | Mikael Pettersson <[email protected]> | 2018-04-21 13:39:11 +0200 |
---|---|---|
committer | Mikael Pettersson <[email protected]> | 2018-04-21 13:39:11 +0200 |
commit | bf96458d2abfc22abbb3c4ae5126859421b054d7 (patch) | |
tree | 6712610da8f962fd6258409fcd2630b3545b67b0 /bootstrap/lib/kernel/ebin | |
parent | 0343b68b053ee97b2ef70ea07b9aa87e8842c591 (diff) | |
download | otp-bf96458d2abfc22abbb3c4ae5126859421b054d7.tar.gz otp-bf96458d2abfc22abbb3c4ae5126859421b054d7.tar.bz2 otp-bf96458d2abfc22abbb3c4ae5126859421b054d7.zip |
fix integer truncation bugs in error logger path
Sending a large term to the error logger has two problems related
to the size and sign of the variables used to represent lengths:
- the API functions (erts_send_error_term_to_logger() et al) perform
an unchecked narrowing conversion from size_t to int when passing
dsbufp->str_len to the internal functions; this may both truncate
the length and make it negative
- do_send_term_to_logger() and do_send_to_logger() multiply the
int-typed length by 2 before widening it to Uint and adding a few
more values; the intermediate product may overflow causing loss
of high bits and a change of sign; if the intermediate product is
negative the final size will be an extremely large positive value
The end result is that the computed buffer size can be arbitrarily
wrong, either too small or too large.
While reviewing this code I also found and fixed a potential narrowing
bug in erts_set_hole_marker().
Diffstat (limited to 'bootstrap/lib/kernel/ebin')
0 files changed, 0 insertions, 0 deletions