From d8a51d5bff3e78d6c118540e047528b88be782c3 Mon Sep 17 00:00:00 2001 From: 94xhn <94xhn1@gmail.com> Date: Thu, 16 Jul 2026 23:01:03 +0800 Subject: [PATCH] Reject invalid ROM lengths before copying uvm32_load accepted negative int lengths and forwarded them to the size_t copy parameter. Reject them alongside oversized ROMs so invalid input follows the existing false return path. Constraint: Keep the public int signature and existing zero/exact-fit behavior Rejected: Change len to size_t | unnecessary API and ABI change Confidence: high Scope-risk: narrow Directive: Validate signed lengths before passing them to size_t APIs Tested: Hook boundary matrix on MinGW GCC 8 and WSL GCC 13; Unity badcode 2/2; stack-protection configuration; WSL ASan/UBSan; git diff --check Not-tested: Full Docker suite locally because the RISC-V cross compiler and Docker service were unavailable --- test/badcode/test/tests.c | 4 ++++ uvm32/uvm32.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/test/badcode/test/tests.c b/test/badcode/test/tests.c index 05e51c7..506a0c3 100644 --- a/test/badcode/test/tests.c +++ b/test/badcode/test/tests.c @@ -20,4 +20,8 @@ void test_giant_rom(void) { TEST_ASSERT_EQUAL(false, uvm32_load(&vmst, rom_bin, UVM32_MEMORY_SIZE+1)); // if it reads off end of rom_bin, will crash } +void test_negative_rom_length(void) { + uvm32_init(&vmst); + TEST_ASSERT_EQUAL(false, uvm32_load(&vmst, rom_bin, -1)); +} diff --git a/uvm32/uvm32.c b/uvm32/uvm32.c index d5e629b..8ba18b9 100644 --- a/uvm32/uvm32.c +++ b/uvm32/uvm32.c @@ -121,8 +121,8 @@ void uvm32_init(uvm32_state_t *vmst) { } bool uvm32_load(uvm32_state_t *vmst, const uint8_t *rom, int len) { - if (len > UVM32_MEMORY_SIZE) { - // too big + if (len < 0 || len > UVM32_MEMORY_SIZE) { + // invalid length return false; }