| Issue |
129970
|
| Summary |
Can StringByteSize in demangleStringLiteral in MicrosoftDemangle.cpp overflow?
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
shafik
|
A static analysis tool flagged this line for possible overflow:
https://github.com/llvm/llvm-project/blob/213028556419cb734be5aadcfd9798b40a8ebc31/llvm/lib/Demangle/MicrosoftDemangle.cpp#L1382
as a possible overflow risk. I can see that we used to check but switched to checking `MangledName.size() < 2` w/ this commit: a0ac65c98f281
The relationship between `MangledName.size()` and `StringByteSize` does not look like it is verified, although the assumption seems to be that it will at least as large as `MangledName.size()`.
The question is whether `StringByteSize` could ever have a value of `1` or `0` before decrementing by `2` and thereflow overflowing to max unsigned value or max unsigned value - 1.
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
