Avoid theoretical overflow of uintptr_t in AddAllLinkedExtensions

protobuf-github-bot · mkruskal-google · commit 08d520af1263 · 2026-05-05T12:15:22.000-07:00
PiperOrigin-RevId: 903908144
diff --git a/upb/mini_table/generated_registry.c b/upb/mini_table/generated_registry.c
@@ -7,6 +7,7 @@
 
 #include "upb/mini_table/generated_registry.h"
 
+#include <stddef.h>
 #include <stdint.h>
 
 #include "upb/mem/alloc.h"
@@ -41,12 +42,9 @@ static bool _upb_GeneratedRegistry_AddAllLinkedExtensions(
   const UPB_PRIVATE(upb_GeneratedExtensionListEntry)* entry =
       UPB_PRIVATE(upb_generated_extension_list);
   while (entry != NULL) {
-    // Comparing pointers to different objects is undefined behavior, so we
-    // convert them to uintptr_t and compare their values.
-    uintptr_t begin = (uintptr_t)entry->start;
-    uintptr_t end = (uintptr_t)entry->stop;
-    uintptr_t current = begin;
-    while (current < end) {
+    const char* current = (const char*)entry->start;
+    const char* end = (const char*)entry->stop;
+    while ((size_t)(end - current) >= sizeof(upb_MiniTableExtension)) {
       const upb_MiniTableExtension* ext =
           (const upb_MiniTableExtension*)current;
       // Sentinels and padding introduced by the linker can result in zeroed
