mirror of
https://github.com/llvm/llvm-project.git
synced 2025-04-16 15:26:47 +00:00
4db6803dc7
Prior to this, we would check if the end of the allocator cache was located before the end of the chunk passed to the tls check. However, if the actual allocator cache comes after the end of the chunk, then the sub in the `end - params->allocator_caches[i]` bit overflows. Since the resulting type is an unsigned uptr, this is not UB, but if the signed result would be a negative value (ie. `end < params->allocator_caches[i]`) then this will actually result in a very large unsigned value much bigger than the compared `sizeof(AllocatorCache)` which will almost always be true. This can cause ScanRangeForPointers to accept incorrect values: a begin pointing to some address, and `params->allocator_caches[i]` pointing to some much larger address way past the end of the chunk which can result in a page fault/stack overflow. Differential Revision: https://reviews.llvm.org/D159518