From fc5a349a722fdd86698a4ded0f7f44556ca5856b Mon Sep 17 00:00:00 2001 From: Erik Boasson Date: Thu, 2 May 2019 11:14:07 +0800 Subject: [PATCH] out-of-bounds write nn_bitset_one w multiple of 32 nn_bitset_one sets the specified number of bits by first memset'ing the words, then clearing bits set in a final partial word. It mishandled the case where the number of bits is a multiple of 32, clearing the entire word following the last one it was to touch. Signed-off-by: Erik Boasson --- src/core/ddsi/include/dds/ddsi/q_bitset.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/core/ddsi/include/dds/ddsi/q_bitset.h b/src/core/ddsi/include/dds/ddsi/q_bitset.h index 630d16a..a359f82 100644 --- a/src/core/ddsi/include/dds/ddsi/q_bitset.h +++ b/src/core/ddsi/include/dds/ddsi/q_bitset.h @@ -49,6 +49,7 @@ inline void nn_bitset_one (uint32_t numbits, uint32_t *bits) memset (bits, 0xff, 4 * ((numbits + 31) / 32)); /* clear bits "accidentally" set */ + if ((numbits % 32) != 0) { const uint32_t k = numbits / 32; const uint32_t n = numbits % 32;