Skip to content

Commit c09c713

Browse files
lucylqGithub Executorch
andauthored
Fix double-scaled pointer arithmetic in ETDumpGen constructor (pytorch#18782)
`builder_ + sizeof(struct flatcc_builder)` results in `builder_ + sizeof(struct flatcc_builder) * sizeof(struct flatcc_builder)` Because C/C++ arithmetic builder_ + N advances by N*sizeof(type) where type is the type of builder_. This means we get a pointer that advances past the intended memory location, potentially into unallocated memory. Replace with `builder_ + 1`, which correctly advances by exactly one `sizeof(struct flatcc_builder)` element. This PR was authored with the assistance of Claude. Co-authored-by: Github Executorch <github_executorch@arm.com>
1 parent 875f7c8 commit c09c713

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

devtools/etdump/etdump_flatcc.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -116,8 +116,8 @@ ETDumpGen::ETDumpGen(Span<uint8_t> buffer) {
116116
if (buffer.data() != nullptr) {
117117
builder_ =
118118
(struct flatcc_builder*)internal::align_pointer(buffer.data(), 64);
119-
uintptr_t buffer_with_builder = (uintptr_t)internal::align_pointer(
120-
builder_ + sizeof(struct flatcc_builder), 64);
119+
uintptr_t buffer_with_builder =
120+
(uintptr_t)internal::align_pointer(builder_ + 1, 64);
121121
size_t builder_size =
122122
(size_t)(buffer_with_builder - (uintptr_t)buffer.data());
123123
size_t min_buf_size = max_alloc_buf_size + builder_size;

0 commit comments

Comments
 (0)