[v2] util/cutils: Fix Coverity array overrun in freq_to_str()

[PATCH-for-5.2 v2] util/cutils: Fix Coverity array overrun in freq_to_str()

Philippe Mathieu-Daudé posted 1 patch 3 years, 6 months ago

Diff against v1 v3
Download mbox

Test checkpatch passed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20201101215408.2019266-1-f4bug@amsat.org

There is a newer version of this series

util/cutils.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

Expand all Fold all

[PATCH-for-5.2 v2] util/cutils: Fix Coverity array overrun in freq_to_str()

Posted by Philippe Mathieu-Daudé 3 years, 6 months ago

Rewrite the iteration to avoid an array overrun. This fixes
CID 1435957:  Memory - illegal accesses (OVERRUN):

>>> Overrunning array "suffixes" of 7 8-byte elements at element
    index 7 (byte offset 63) using index "idx" (which evaluates to 7).

Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
which is ~18.446 EHz, less than 1000 EHz.

Reported-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
Supersedes: <20201029185506.1241912-1-f4bug@amsat.org>
---
 util/cutils.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/util/cutils.c b/util/cutils.c
index c395974fab4..723051da6e8 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -889,11 +889,13 @@ char *freq_to_str(uint64_t freq_hz)
 {
     static const char *const suffixes[] = { "", "K", "M", "G", "T", "P", "E" };
     double freq = freq_hz;
-    size_t idx = 0;
+    size_t idx;
 
-    while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
+    for (idx = 0; idx < ARRAY_SIZE(suffixes) - 1; idx++) {
+        if (freq < 1000.0) {
+            break;
+        }
         freq /= 1000.0;
-        idx++;
     }
 
     return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
-- 
2.26.2