Paul Eggert <[EMAIL PROTECTED]> wrote: > Jim Meyering <[EMAIL PROTECTED]> writes: > >> - if (((size_t) -1) / 2 / s < n) >> + if ((2 * (((size_t) -1 - 1) / 3)) / s < n) > > That's not quite right. As an extreme case, suppose S is > SIZE_MAX/4 + 1 and N is 2. Then (2 * (((size_t) -1 - 1) / 3)) / S > evaluates to 2 and N will appear to be in range here, but: > >> + n = n + n / 2 + 1; > > will cause N to become 4, and N * S will then overflow. > > I installed this: > > 2007-02-03 Paul Eggert <[EMAIL PROTECTED]> > > * lib/xalloc.h (x2nrealloc): Fix an unlikely bug in the overflow > checking code. Set N = ceil (1.5 * N) rather than to a slightly > larger value.
Good catch! Thanks.
