Skip to content

Reject negative ROM lengths in uvm32_load#12

Merged
ringtailsoftware merged 1 commit into
ringtailsoftware:mainfrom
94xhn:fix/load-negative-length
Jul 16, 2026
Merged

Reject negative ROM lengths in uvm32_load#12
ringtailsoftware merged 1 commit into
ringtailsoftware:mainfrom
94xhn:fix/load-negative-length

Conversation

@94xhn

@94xhn 94xhn commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • reject negative ROM lengths through the existing false return path
  • keep zero, positive, exact-fit, and oversized behavior unchanged
  • add a regression test to the existing badcode suite

Problem

uvm32_load() accepts len as an int, but currently checks only whether it exceeds UVM32_MEMORY_SIZE. A negative value therefore reaches UVM32_MEMCPY, whose length parameter is size_t, after an unintended signed-to-unsigned conversion.

Negative byte counts have no valid meaning for this API. Checking the lower bound before the copy keeps invalid input consistent with the existing oversized-ROM behavior without changing the public signature.

Testing

A non-copying UVM32_MEMCPY recording hook linked the real uvm32.c and exercised INT_MIN, -1, 0, 1, exact fit, and one byte over the limit.

On current main, INT_MIN and -1 both returned true and invoked the copy hook once. With this change they return false without invoking it; all non-negative boundary results remain unchanged.

Verified with:

  • MinGW GCC 8.1 and WSL GCC 13.3 using C99, -Wall, and -Werror
  • the repository's generated Unity badcode runner: 2 tests, 0 failures on both toolchains
  • UVM32_STACK_PROTECTION enabled
  • WSL AddressSanitizer and UndefinedBehaviorSanitizer
  • git diff --check

Limitations

The full Docker suite was not available locally because this machine does not have the repository's RISC-V cross compiler and its Docker service is not running. The pull request CI will run that complete environment.

uvm32_load accepted negative int lengths and forwarded them to the size_t copy parameter. Reject them alongside oversized ROMs so invalid input follows the existing false return path.

Constraint: Keep the public int signature and existing zero/exact-fit behavior
Rejected: Change len to size_t | unnecessary API and ABI change
Confidence: high
Scope-risk: narrow
Directive: Validate signed lengths before passing them to size_t APIs
Tested: Hook boundary matrix on MinGW GCC 8 and WSL GCC 13; Unity badcode 2/2; stack-protection configuration; WSL ASan/UBSan; git diff --check
Not-tested: Full Docker suite locally because the RISC-V cross compiler and Docker service were unavailable
@94xhn
94xhn temporarily deployed to github-pages July 16, 2026 15:15 — with GitHub Actions Inactive
@ringtailsoftware
ringtailsoftware merged commit 6055e7f into ringtailsoftware:main Jul 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants