Possible Undefined Behavior in antivirus_metrics_provider_win.cc
Reported by
sabbaku...@yandex-team.ru,
May 15 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36 Steps to reproduce the problem: https://cs.chromium.org/chromium/src/chrome/browser/metrics/antivirus_metrics_provider_win.cc?q=chrome/browser/metrics/antivirus_metrics_provider_win.cc&dr&l=401 What is the expected behavior? What went wrong? It seems like the reinterpret_cast is not valid here and should be changed to std::copy or memcpy. Probably dereferencing the given pointer is undefined behavior: http://en.cppreference.com/w/cpp/language/reinterpret_cast Did this work before? N/A Chrome version: 58.0.3029.96 Channel: dev OS Version: 10.0 Flash Version:
,
May 15 2017
,
May 16 2017
Will, can you take a look?
,
May 16 2017
sabbakumov@ can you be more specific what behavior here would be undefined? The static assert on line 71 already checks that sizeof(PRODUCT_STATE) is 4 which is same as sizeof(LONG).
,
May 17 2017
I've made a patch: https://codereview.chromium.org/2876373002/ On cppreference it's said that: "5) Any pointer to object of type T1 can be converted to pointer to object of another type cv T2. This is exactly equivalent to static_cast<cv T2*>(static_cast<cv void*>(expression)) (which implies that if T2's alignment requirement is not stricter than T1's, the value of the pointer does not change and conversion of the resulting pointer back to its original type yields the original value). In any case, the resulting pointer may only be dereferenced safely if allowed by the type aliasing rules (see below)" That means that dereferencing such a pointer is only valid under cases: "* AliasedType is (possibly cv-qualified) DynamicType * AliasedType and DynamicType are both (possibly multi-level, possibly cv-qualified at each level) pointers to the same type T (since C++11) * AliasedType is the (possibly cv-qualified) signed or unsigned variant of DynamicType * AliasedType is an aggregate type or a union type which holds one of the aforementioned types as an element or non-static member (including, recursively, elements of subaggregates and non-static data members of the contained unions): this makes it safe to obtain a usable pointer to a struct or union given a pointer to its non-static member or element. * AliasedType is a (possibly cv-qualified) base class of DynamicType and DynamicType is a standard-layout class that has has no non-static data members, and AliasedType is its first base class. * AliasedType is char, unsigned char, or std::byte: this permits examination of the object representation of any object as an array of bytes." If AliasedType does not satisfy these requirements, accessing the object through the new pointer or reference invokes undefined behavior.
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/88b9bc14b5d592e258623f27363d768ec25ce05b commit 88b9bc14b5d592e258623f27363d768ec25ce05b Author: sabbakumov <sabbakumov@yandex-team.ru> Date: Thu May 18 07:00:25 2017 Change reinterpret_cast to std::copy to avoid undefined behavior It seems like the reinterpret_cast is not valid here and should be changed to std::copy or memcpy. Probably dereferencing the given pointer is undefined behavior: http://en.cppreference.com/w/cpp/language/reinterpret_cast BUG=722170 Review-Url: https://codereview.chromium.org/2876373002 Cr-Commit-Position: refs/heads/master@{#472717} [modify] https://crrev.com/88b9bc14b5d592e258623f27363d768ec25ce05b/chrome/browser/metrics/antivirus_metrics_provider_win.cc |
|||
►
Sign in to add a comment |
|||
Comment 1 by ranjitkan@chromium.org
, May 15 2017