On Wed, 15 Jul 2009, Geoff Wing wrote:
> On Tuesday 2009-07-14 16:46 +0100, Roy Marples output:
> :- newlen = off + len + 1;
> :- /* Ensure that the resultant buffer length fits in ssize_t */
> :- if (newlen > (size_t)SSIZE_MAX + 1) {
> :+ newlen = off + len;
> :+ /* Ensure that the resultant buffer length fits in ssize_t. */
> :+ if (newlen > SSIZE_MAX) {
>
> I may have explained this poorly. "newlen", "off" and "len" are
> signed numbers. If the addition "off + len" overflows ssize_t (also signed),
> then "newlen" is now negative and will never be greater than SSIZE_MAX. Yes?
No. If those are all signed, and if off+len overflows, then it leads to
undefined behaviour.
I haven't thought enought about this, but I'd be inclined to do the
addition using an unsigned type, which has well-defined overflow
behaviour, and then check the range of the unsigned result.
--apb (Alan Barrett)
