commit 1077f85ed77bcfcd98d50281f37fb7e8f61e29fa
parent 4bd3edc59b5f4defe8e3fddcd0ddc4bf8bc2bf24
Author: Drew DeVault <sir@cmpwn.com>
Date: Fri, 6 Aug 2021 14:40:21 +0200
gen: use 'from' for inner union in cast-to-tagged
In this situation, 'from' is always a more specific union than 'to',
which means that it will always have a size equal to or less than 'to'.
If we based the inner type on the 'to' type, we could end up with a
larger type, which would cause out-of-bounds reads from the source
object.
The new approach might have issues on big-endian systems in the future;
we'll revisit it if we ever add a BE target.
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Diffstat:
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/gen.c b/src/gen.c
@@ -494,7 +494,7 @@ gen_expr_cast_at(struct gen_context *ctx,
}
const struct type *innertype = type_store_tagged_to_union(
- ctx->store, type_dealias(to));
+ ctx->store, type_dealias(from));
struct gen_value iout = mktemp(ctx, innertype, ".%d");
struct gen_value ival = mktemp(ctx, innertype, ".%d");
struct qbe_value qiout = mkqval(ctx, &iout);
