const UInt_t* trailerWords = reinterpret_cast<const UInt_t*>(end) - 2;
if (fAutoDetectTrailer)
{
- if (trailerWords >= bufferStart and *trailerWords == fgkEndOfDDL
- and *(trailerWords+1) == fgkEndOfDDL
+ if (trailerWords >= bufferStart and trailerWords < bufferEnd
+ and *trailerWords == fgkEndOfDDL and *(trailerWords+1) == fgkEndOfDDL
)
{
// Found the trailer so reposition the end of blocks marker.
}
else if (fCheckForTrailer)
{
- if (trailerWords >= bufferStart and *trailerWords == fgkEndOfDDL
- and *(trailerWords+1) == fgkEndOfDDL
+ if (trailerWords >= bufferStart and trailerWords < bufferEnd
+ and *trailerWords == fgkEndOfDDL and *(trailerWords+1) == fgkEndOfDDL
)
{
// Found the trailer so reposition the end of blocks marker.
}
else
{
- if (trailerWords+1 >= bufferStart and *(trailerWords+1) == fgkEndOfDDL)
+ if (trailerWords+1 >= bufferStart and trailerWords+1 < bufferEnd and *(trailerWords+1) == fgkEndOfDDL)
fHandler.OnError(EventHandler::kTooFewDDLTrailerWords, trailerWords+1);
- else if (trailerWords >= bufferStart and *(trailerWords) == fgkEndOfDDL)
+ else if (trailerWords >= bufferStart and trailerWords < bufferEnd and *(trailerWords) == fgkEndOfDDL)
fHandler.OnError(EventHandler::kTooFewDDLTrailerWords, trailerWords);
else
fHandler.OnError(EventHandler::kNoDDLTrailerWords, end);
{
trailerWords = bufferEnd;
// There should only be a max of 2 trailer words.
- if (*(trailerWords-1) == fgkEndOfDDL)
- trailerWords--;
- else if (*(trailerWords-1) == fgkEndOfDDL)
- trailerWords--;
+ if (trailerWords-2 >= bufferStart and trailerWords-2 < bufferEnd and *(trailerWords-2) == fgkEndOfDDL)
+ trailerWords -= 2;
+ else if (trailerWords-1 >= bufferStart and trailerWords-1 < bufferEnd and *(trailerWords-1) == fgkEndOfDDL)
+ trailerWords -= 1;
endOfBlocks = reinterpret_cast<const UChar_t*>(trailerWords);
}
}
const AliMUONBlockHeaderStruct* blockHeader
= reinterpret_cast<const AliMUONBlockHeaderStruct*>(blockStart);
current += sizeof(AliMUONBlockHeaderStruct);
- if (current > endOfBlocks)
+ if (current > endOfBlocks or current < start)
{
+ // If we overflowed the pointer and already had an error then
+ // we are clearly lost so just stop decoding before we segfault.
+ if (current < start and fHadError) return;
+
// We first check if we actually hit the end of DDL markers
// If we did then either we did not/could not recover from
// a corrupt trailer or we did not detect a correct trailer
// If any of the above fail then we know there is a problem with
// the block header. It must be corrupted somehow.
if (blockHeader->fDataKey != fgkBlockDataKey
- or dataEnd > endOfBlocks or blockEnd > endOfBlocks or dataEnd != blockEnd)
+ or dataEnd > endOfBlocks or dataEnd < start
+ or blockEnd > endOfBlocks or blockEnd < start
+ or dataEnd != blockEnd)
{
// So let us see what exactly is wrong and report this.
if (blockCount == fMaxBlocks)
}
if (blockHeader->fDataKey != fgkBlockDataKey)
fHandler.OnError(EventHandler::kBadBlockKey, &blockHeader->fDataKey);
- if (blockEnd > endOfBlocks)
+ if (blockEnd > endOfBlocks or blockEnd < start)
fHandler.OnError(EventHandler::kBadBlockLength, &blockHeader->fLength);
- if (dataEnd > endOfBlocks)
+ if (dataEnd > endOfBlocks or dataEnd < start)
fHandler.OnError(EventHandler::kBadBlockTotalLength, &blockHeader->fTotalLength);
if (dataEnd != blockEnd)
fHandler.OnError(EventHandler::kBlockLengthMismatch, blockHeader);
const AliMUONDSPHeaderStruct* dspHeader
= reinterpret_cast<const AliMUONDSPHeaderStruct*>(dspStart);
current += sizeof(AliMUONDSPHeaderStruct);
- if (current > end)
+ if (current > end or current < start)
{
+ // If we overflowed the pointer and already had an error then
+ // we are clearly lost so just stop decoding before we segfault.
+ if (current < start and fHadError) return false;
+
// So we only got part of a DSP header at the very end of
// the block structure buffer. Nothing to do but report the
// error and exit. Set fHadError in case of further decoding.
// If any of the above fail then we know there is a problem with
// the DSP header. It must be corrupted somehow.
if (dspHeader->fDataKey != fgkDSPDataKey
- or dataEnd > end or dspEnd > end or dataEnd != dspEnd)
+ or dataEnd > end or dataEnd < start
+ or dspEnd > end or dspEnd < start
+ or dataEnd != dspEnd)
{
// So let us see what exactly is wrong and report this.
if (dspHeader->fDataKey != fgkDSPDataKey)
fHandler.OnError(EventHandler::kBadDSPKey, &dspHeader->fDataKey);
- if (dspEnd > end)
+ if (dspEnd > end or dspEnd < start)
fHandler.OnError(EventHandler::kBadDSPLength, &dspHeader->fLength);
- if (dataEnd > end)
+ if (dataEnd > end or dataEnd < start)
fHandler.OnError(EventHandler::kBadDSPTotalLength, &dspHeader->fTotalLength);
if (dataEnd != dspEnd)
fHandler.OnError(EventHandler::kDSPLengthMismatch, dspHeader);
const AliMUONBusPatchHeaderStruct* busPatchHeader
= reinterpret_cast<const AliMUONBusPatchHeaderStruct*>(busPatchStart);
current += sizeof(AliMUONBusPatchHeaderStruct);
- if (current > end)
+ if (current > end or current < start)
{
+ // If we overflowed the pointer and already had an error then
+ // we are clearly lost so just stop decoding before we segfault.
+ if (current < start and fHadError) return false;
+
// So we only got part of a bus patch header at the very
// end of the DSP structure buffer. Nothing to do but
// report the error and exit. Set fHadError in case of
// If any of the above fail then we know there is a problem with
// the bus patch header. It must be corrupted somehow.
if (busPatchHeader->fDataKey != fgkBusPatchDataKey
- or dataEnd > end or busPatchEnd > end or dataEnd != busPatchEnd)
+ or dataEnd > end or dataEnd < start
+ or busPatchEnd > end or busPatchEnd < start
+ or dataEnd != busPatchEnd)
{
// So let us see what exactly is wrong and report this.
if (busPatchHeader->fDataKey != fgkBusPatchDataKey)
fHandler.OnError(EventHandler::kBadBusPatchKey, &busPatchHeader->fDataKey);
- if (busPatchEnd > end)
+ if (busPatchEnd > end or busPatchEnd < start)
fHandler.OnError(EventHandler::kBadBusPatchLength, &busPatchHeader->fLength);
- if (dataEnd > end)
+ if (dataEnd > end or dataEnd < start)
fHandler.OnError(EventHandler::kBadBusPatchTotalLength, &busPatchHeader->fTotalLength);
if (dataEnd != busPatchEnd)
fHandler.OnError(EventHandler::kBusPatchLengthMismatch, busPatchHeader);
{
// Must check that we can read another 4 bytes before
// checking the key at dataEnd.
- if (dataEnd + sizeof(UInt_t) <= bufferEnd)
+ if (dataEnd + sizeof(UInt_t) <= bufferEnd and dataEnd + sizeof(UInt_t) > structStart)
{
if (*keyAtDataEnd == fgkBlockDataKey)
lengthIsCorrect = true;
{
// Must check that we can read another 4 bytes before
// checking the key at structEnd.
- if (structEnd + sizeof(UInt_t) <= bufferEnd)
+ if (structEnd + sizeof(UInt_t) <= bufferEnd and structEnd + sizeof(UInt_t) > structStart)
{
if (*keyAtStructEnd == fgkBlockDataKey)
totalLengthIsCorrect = true;
{
// Must check that we can read another 4 bytes before
// checking the key at dataEnd.
- if (dataEnd + sizeof(UInt_t) <= bufferEnd)
+ if (dataEnd + sizeof(UInt_t) <= bufferEnd and dataEnd + sizeof(UInt_t) > structStart)
{
if (*keyAtDataEnd == fgkBlockDataKey
or *keyAtDataEnd == fgkDSPDataKey)
{
// Must check that we can read another 4 bytes before
// checking the key at structEnd.
- if (structEnd + sizeof(UInt_t) <= bufferEnd)
+ if (structEnd + sizeof(UInt_t) <= bufferEnd and structEnd + sizeof(UInt_t) > structStart)
{
if (*keyAtStructEnd == fgkBlockDataKey
or *keyAtStructEnd == fgkDSPDataKey)
{
// Must check that we can read another 4 bytes before
// checking the key at dataEnd.
- if (dataEnd + sizeof(UInt_t) <= bufferEnd)
+ if (dataEnd + sizeof(UInt_t) <= bufferEnd and dataEnd + sizeof(UInt_t) > structStart)
{
if (*keyAtDataEnd == fgkDSPDataKey
or *keyAtDataEnd == fgkBusPatchDataKey)
{
// Must check that we can read another 4 bytes before
// checking the key at structEnd.
- if (structEnd + sizeof(UInt_t) <= bufferEnd)
+ if (structEnd + sizeof(UInt_t) <= bufferEnd and structEnd + sizeof(UInt_t) > structStart)
{
if (*keyAtStructEnd == fgkDSPDataKey
or *keyAtStructEnd == fgkBusPatchDataKey)
/// should point to 'start + bufferSize', i.e. just past the last byte of the
/// buffer. If the key was found then the pointer to that location is returned
/// otherwise NULL is returned.
-
+
+ if (end + sizeof(UInt_t) < start) return NULL; // check for pointer overflow.
const UChar_t* current = start;
while (current + sizeof(UInt_t) <= end)
{