New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
‘hdrblobInit’: check pointer is 8-byte aligned #1499
‘hdrblobInit’: check pointer is 8-byte aligned #1499
Conversation
This is because the void pointer is then cast to an int32_t pointer, right? Please put that align check into a macro and refer to the actual thing it depends on, that'll make it much more self-explanatory than this random/magic-looking |
a8453c6
to
1eb4725
Compare
Um, seems I wasn't quite awake yesterday. There's no universal law that says that every pointer must be 8-byte aligned. Alignment depends on the architecture, pointer sizes and all. Like I said, refer to the thing that the alignment depends on, ie blob->ie. It's size and alignment is most certainly not equal to uint64_t everywhere. Also I believe alignof() is defined as a macro in the standard, so you could probably just test for that directly rather than test for version - testing explicit feature is always better than versions. The other thing I wonder about is that this void pointer has been in rpm in 20+ years with no issues on any architecture. So I think this could use an explanation why exactly this is needing that alignment check now. When referring to things like compiler standards, it's good practise to point the relevant section that declares the undefined behavior - not everybody sleeps with compiler standards under their pillow I certainly do not. |
Agreed. That said,
It is, but that would require changing
Probably for the reason you mentioned in your next paragraph: I suspect that
Personally, if I see a C API taking a void pointer and length, I assume that there are no alignment requirements unless the documentation states that there are. |
So bottom line, this is all theoretical. While it's okay to improve theoretical cases too, it is not exactly high-priority work. Which is why asked you to make those reproducer cases available so I can prioritize. |
I don’t actually have reproducers for most of them. The more severe cases have been reported privately via secalert@redhat.com, as they have security implications. |
For heavens sake. All along I've asking to make available the reproducer cases that you DO HAVE. Nothing else. |
Sorry; this was a misunderstanding on my part. Uploaded in the other thread. |
Otherwise, we will dereference a misaligned pointer, which is undefined behavior.
1eb4725
to
781dba2
Compare
@pmatilai does this look okay? I understand it isn’t high priority, but it makes the API that little bit safer. |
On a second thought, NAK. There are too many redundant checks in the code as it is, and adding these kind of just-in-case checks doesn't do anything to help spot the actually crucial missing ones. Forest from the trees, you know. If somebody passes a random non-malloced address to headerImport() or friends, that's a bug in the caller code. Apologies for asking you to do extra work and then reject anyway, but there's simply too much on the plate as it is. |
That’s understandable. I will file a separate PR with a documentation fix, so that callers know what to do. |
Otherwise, we will dereference a misaligned pointer, which is undefined
behavior.