"liujunjie (A)" <liujunji...@huawei.com> writes: > Thanks for your reply. >> Really? How exactly can this happen? Please explain step by step. > There exist a qemu core related to this. You have mention that "The > conversion truncates when strlen(str) - 1 exceeds INT_MAX". > Later in function qstring_from_substr, this truncated "end" will be assigned > to "qstring->length" again, which is size_t. This is the key point why qemu > coredumped. > Because when "end" is truncated, it can be negative number. If we assign a > negative number to a size_t variable, this size_t variable can become very > large. > At last, we call g_malloc to try to alloc a large number of member which > cannot success. So qemu coredump. > In my example, use gdb to debug function qstring_from_substr, I can get the > following message. > (gdb) p qstring->length > $4 = 18446744072383980732 (too large to allocate) > (gdb) p (int) (qstring->length) > $5 = -1325570884 > (gdb) p/x (int) qstring->length > $6 = 0xb0fd64bc > (gdb) p/x qstring->length > $7 = 0xffffffffb0fd64bc > (gdb) p end > $8 = <optimized out>
Can you provide a stack backtrace, too?
