From e53bd221ab62456054c47a8131506f469af95cf7 Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Fri, 15 May 2026 02:42:45 +0000 Subject: [PATCH 1/2] fix: V-001 security vulnerability Automated security fix generated by Orbis Security AI --- Source/Misra/Std/Container/Vec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Source/Misra/Std/Container/Vec.c b/Source/Misra/Std/Container/Vec.c index a8854116..a09ba724 100644 --- a/Source/Misra/Std/Container/Vec.c +++ b/Source/Misra/Std/Container/Vec.c @@ -195,6 +195,9 @@ bool insert_range_into_vec(GenericVec *vec, const char *item_data, size item_siz } aligned_size = vec_aligned_size(vec, item_size); + if (count != 0 && aligned_size > SIZE_MAX / count) { + return false; + } if (vec->length + count >= vec->capacity) { if (!reserve_pow2_vec(vec, item_size, vec->capacity + count)) { return false; @@ -257,6 +260,9 @@ bool insert_range_fast_into_vec(GenericVec *vec, const char *item_data, size ite } aligned_size = vec_aligned_size(vec, item_size); + if (count != 0 && aligned_size > SIZE_MAX / count) { + return false; + } if (vec->length + count >= vec->capacity) { if (!reserve_pow2_vec(vec, item_size, vec->length + count)) { return false; @@ -323,6 +329,9 @@ void remove_range_vec(GenericVec *vec, void *removed_data, size item_size, size } } + if ((vec->length - start - count) != 0 && vec_aligned_size(vec, item_size) > SIZE_MAX / (vec->length - start - count)) { + LOG_FATAL("integer overflow in remove_range_vec: aligned_size * move_count would overflow"); + } // all elements to new created space MemMove( // move to freed up space @@ -374,6 +383,9 @@ void fast_remove_range_vec(GenericVec *vec, void *removed_data, size item_size, } if (elements_to_move > 0) { + if (vec_aligned_size(vec, item_size) > SIZE_MAX / elements_to_move) { + LOG_FATAL("integer overflow in fast_remove_range_vec: aligned_size * elements_to_move would overflow"); + } // Move the last 'elements_to_move' elements to the gap MemMove( // Move to freed up space From 662cef4558a7458d99a332ff548246211650e782 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Fri, 15 May 2026 13:02:30 +0530 Subject: [PATCH 2/2] fix: remove redundant count != 0 guards in overflow checks Both insert_range_into_vec and insert_range_fast_into_vec already return early when count == 0, so the division-by-zero guard in the overflow check is unnecessary. Addresses review feedback on PR #38. Co-Authored-By: Claude Opus 4.6 --- Source/Misra/Std/Container/Vec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Source/Misra/Std/Container/Vec.c b/Source/Misra/Std/Container/Vec.c index a09ba724..4f454b27 100644 --- a/Source/Misra/Std/Container/Vec.c +++ b/Source/Misra/Std/Container/Vec.c @@ -195,7 +195,7 @@ bool insert_range_into_vec(GenericVec *vec, const char *item_data, size item_siz } aligned_size = vec_aligned_size(vec, item_size); - if (count != 0 && aligned_size > SIZE_MAX / count) { + if (aligned_size > SIZE_MAX / count) { return false; } if (vec->length + count >= vec->capacity) { @@ -260,7 +260,7 @@ bool insert_range_fast_into_vec(GenericVec *vec, const char *item_data, size ite } aligned_size = vec_aligned_size(vec, item_size); - if (count != 0 && aligned_size > SIZE_MAX / count) { + if (aligned_size > SIZE_MAX / count) { return false; } if (vec->length + count >= vec->capacity) {