Commit d265d3a2 authored by mlippautz's avatar mlippautz Committed by Commit bot

[heap] Fix off-by-one cell read in verification methods

The actual value was always &-ed with 0 so technically correct. ASAN
rightfully complains when allocating an external bitmap though.

BUG=chromium:651354
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2799283002
Cr-Commit-Position: refs/heads/master@{#44453}
parent 4f03ccdf
......@@ -227,10 +227,16 @@ class Bitmap {
if (cells()[i] != ~0u) return false;
}
matching_mask = (end_index_mask - 1);
return ((cells()[end_cell_index] & matching_mask) == matching_mask);
// Check against a mask of 0 to avoid dereferencing the cell after the
// end of the bitmap.
return (matching_mask == 0) ||
((cells()[end_cell_index] & matching_mask) == matching_mask);
} else {
matching_mask = end_index_mask - start_index_mask;
return (cells()[end_cell_index] & matching_mask) == matching_mask;
// Check against a mask of 0 to avoid dereferencing the cell after the
// end of the bitmap.
return (matching_mask == 0) ||
(cells()[end_cell_index] & matching_mask) == matching_mask;
}
}
......@@ -250,10 +256,14 @@ class Bitmap {
if (cells()[i]) return false;
}
matching_mask = (end_index_mask - 1);
return !(cells()[end_cell_index] & matching_mask);
// Check against a mask of 0 to avoid dereferencing the cell after the
// end of the bitmap.
return (matching_mask == 0) || !(cells()[end_cell_index] & matching_mask);
} else {
matching_mask = end_index_mask - start_index_mask;
return !(cells()[end_cell_index] & matching_mask);
// Check against a mask of 0 to avoid dereferencing the cell after the
// end of the bitmap.
return (matching_mask == 0) || !(cells()[end_cell_index] & matching_mask);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment