From: Mark Adler Date: Thu, 29 Sep 2016 03:20:25 +0000 (-0700) Subject: Avoid pre-decrement of pointer in big-endian CRC calculation. X-Git-Tag: 1.9.9-b1~743 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2234eb9f0a3f4e753ad059af5f6288dbd269868e;p=thirdparty%2Fzlib-ng.git Avoid pre-decrement of pointer in big-endian CRC calculation. There was a small optimization for PowerPCs to pre-increment a pointer when accessing a word, instead of post-incrementing. This required prefacing the loop with a decrement of the pointer, possibly pointing before the object passed. This is not compliant with the C standard, for which decrementing a pointer before its allocated memory is undefined. When tested on a modern PowerPC with a modern compiler, the optimization no longer has any effect. Due to all that, and per the recommendation of a security audit of the zlib code by Trail of Bits and TrustInSoft, in support of the Mozilla Foundation, this "optimization" was removed, in order to avoid the possibility of undefined behavior. --- diff --git a/crc32.c b/crc32.c index 433244d86..7dd287ee1 100644 --- a/crc32.c +++ b/crc32.c @@ -291,7 +291,7 @@ static uint32_t crc32_little(uint32_t crc, const unsigned char *buf, z_off64_t l /* ========================================================================= */ #if BYTE_ORDER == BIG_ENDIAN -#define DOBIG4 c ^= *++buf4; \ +#define DOBIG4 c ^= *buf4++; \ c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 @@ -309,7 +309,6 @@ static uint32_t crc32_big(uint32_t crc, const unsigned char *buf, z_off64_t len) } buf4 = (const uint32_t *)(const void *)buf; - buf4--; #ifndef UNROLL_LESS while (len >= 32) { @@ -322,7 +321,6 @@ static uint32_t crc32_big(uint32_t crc, const unsigned char *buf, z_off64_t len) DOBIG4; len -= 4; } - buf4++; buf = (const unsigned char *)buf4; if (len) do {