Fix buffer overflow from scoring bin rounding #864
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rtownson
approved these changes
Apr 6, 2022
blakewalters
approved these changes
Jun 3, 2022
ftessier
approved these changes
Jun 27, 2022
Before this change, there was a small risk of buffer overflow in the tutor7pp fluence scoring arrays. The value r2 was checked to be less than 400, and then the scoring bin number (from 0 to 199) is calculated using the expression (int)(sqrt(r2)*10.). The problem with this check is that certain double precision values less than 400 can nevertheless have a square root equal to exactly 20.0 due to floating-point rounding. For example, taking the square root of the double 399.99999999999994 results in 20.0 under certain conditions, not a value slightly less than 20.0 as would be expected. The default g++ rounding mode is round-to-nearest, so even with the square root's true value being under 20.0, the resulting double can be rounded upwards to 20.0 if the true value is closer to 20.0 than the previous representable float. Then, scoring in bin 200 results in buffer overflow in the scoring array. This change ensures the resulting scoring array bin integer is in bounds (< 200), eliminating the potential for buffer overflow.
ftessier
force-pushed
the
tutor7pp-oob-fluence-scoring
branch
from
e30ccda
to
067f00a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this change, there was a small risk of buffer overflow in the
tutor7pp fluence scoring arrays. The value r2 was checked to be less
than 400, and then the scoring bin number (from 0 to 199) is calculated
using the expression
(int)(sqrt(r2)*10.). The problem with this checkis that certain double precision values less than 400 can nevertheless
have a square root equal to exactly 20.0 due to floating-point rounding.
For example, taking the square root of the double 399.99999999999994
results in 20.0 under certain conditions, not a value slightly less than
20.0 as would be expected. The default g++ rounding mode is
round-to-nearest, so even with the square root's true value being under
20.0, the resulting double can be rounded upwards to 20.0 if the true
value is closer to 20.0 than the previous representable float. Then,
scoring in bin 200 results in buffer overflow in the scoring array.
This change ensures the resulting scoring array bin integer is in bounds
(< 200), eliminating the potential for buffer overflow.
Fixes #863.