diff options
author | John Bowler <jbowler@acm.org> | 2015-12-17 12:53:08 -0800 |
---|---|---|
committer | John Bowler <jbowler@acm.org> | 2015-12-17 12:57:49 -0800 |
commit | 829cba63d385fd011db8e8473100623cd819cea3 (patch) | |
tree | fd0b781cb8ad46c14cb08247a913188febf5ca5f | |
parent | b409572cec7ebd75d0eaf1955af28cf07ff2641e (diff) | |
download | libpng-829cba63d385fd011db8e8473100623cd819cea3.tar.gz |
Fix undefined behavior in pngvalid.c
Undefined because (png_byte) << shift is undefined if it changes the signed bit
(because png_byte is promoted to int). The libpng exported functions
png_get_uint_32 and png_get_uint_16 handle this.
Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8.
This changes pngvalid to use BE random numbers; this used to produce errors but
these should not be fixed as a result of the previous changes.
Signed-off-by: John Bowler <jbowler@acm.org>
-rw-r--r-- | contrib/libtests/pngvalid.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/contrib/libtests/pngvalid.c b/contrib/libtests/pngvalid.c index 070757c01..337e84384 100644 --- a/contrib/libtests/pngvalid.c +++ b/contrib/libtests/pngvalid.c @@ -305,7 +305,7 @@ static void r16(png_uint_16p p16, size_t count) { unsigned char b2[2]; randomize(b2, sizeof b2); - *p16++ = 0xFFFFU & ((b2[1] << 8) + b2[0]); + *p16++ = png_get_uint_16(b2); } } @@ -322,7 +322,7 @@ static void r32(png_uint_32p p32, size_t count) { unsigned char b4[4]; randomize(b4, sizeof b4); - *p32++ = (b4[3] << 24) + (b4[2] << 16) + (b4[1] << 8) + b4[0]; + *p32++ = png_get_uint_32(b4); } } |