Finished making the changes.
There are two types of checks that were being done before:
(1) offset < 0? size < 0? offset + size > buffer.Length? This is trivial to get around. If I make both offset and size positive but have the sum overflow, it will pass all three checks.
(2) offset in range? size in range? If the buffer is very large this might run into overflow issues with its checking, though fine most of the time...
Is the offset in range? And is the size in range against buffer.Length - offset (which we know to be >= 0 from the earlier offset check)? This method of bounds checking is not in any danger from two's complement overflows.
projects / mono.git / commit