I went over the article a couple of times, but I cannot quite tell what the actual memmove bug is. Does this assert(ptr == array + 1) imply that the buggy memmove returns the wrong pointer?
As the author of the article, I might be able to clarify a bit ;-). It is not absolutely clear to me what the bug is. It only appears on a few devices so it is not a trivial bug. It seems to be triggered by certain sizes and probably how the block is placed in memory. To answer your question: yes, the return value of memmove seems to be wrong in some cases. ChengYi He's analysis indicates that an ARM/Neon instruction is skipped which could explain the miscalculation. Why it skips the instruction (more precisely, why PC is not incremented correctly after returning from an exception) isn't clear to me or ChengYi He.
[+] [-] sigjuice|9 years ago|reply
[+] [-] kneth|9 years ago|reply