Re: checked integer arithmetic

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: checked integer arithmetic

From:	Paul Eggert
Subject:	Re: checked integer arithmetic
Date:	Thu, 15 Dec 2016 10:21:40 -0800
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1

On 12/15/2016 02:09 AM, Bruno Haible wrote:

So, the limiting factor is the pointer difference operator
    ptr1 - ptr2        where sizeof (*ptr1,*ptr2) > 1.

Yes, it is the pointer difference operator. However, the problem occurseven with size-1 array elements. For example:


#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>

ptrdiff_t
diff (char *a, char *b)
{
  return a - b;
}

int
main (void)
{
  size_t n = PTRDIFF_MAX / 2 + 1;
  size_t size = 2 * n;
  char *x = malloc (size);
  return 0 < diff (x + size, x);
}

'main' returns 0 on Fedora 24 (x86-64 or x86).

* We have no problem with code that only works with indices and never does
   pointer differences or pointer comparisons.


I don't see a problem with pointer comparisons, just pointer differences.

* We have no problem with strings, because sizeof (char) == 1.

No, unfortunately large strings do not work, as one cannot reliablycompute differences of pointers to their elements.

One possibility would be to have two flavors of xalloc_oversized. Oneflavor would check for both ptrdiff_t overflow and size_t overflow, forprograms that do pointer subtraction, and the other flavor(yalloc_oversized, say?) would check only for size_t overflow, forprograms that never subtract pointers to the allocated storage. Allcurrent functions like xnmalloc could have two flavors, so that xnmallocchecks for both kinds of overflow and ynmalloc checks only for size_toverflow. It's not clear to me whether it's worth going to all thateffort merely to support 3 GiB arrays in 32-bit applications. In themeantime, I installed the patch I proposed yesterday, along with theadditional patches attached, which merely change the x* functions tocheck for both kinds of overflow.

0001-quotearg-pacify-GCC-better.patch
Description: Source code patch

0002-malloca-do-not-exceed-PTRDIFF_MAX.patch
Description: Source code patch

0003-xalloc-do-not-exceed-PTRDIFF_MAX.patch
Description: Source code patch

0004-safe-alloc-use-xalloc-oversized.patch
Description: Source code patch

[Prev in Thread]

Current Thread

[Next in Thread]

FYI: dfa: add an assertion to avoid coverity false positive, Jim Meyering, 2016/12/14
- Re: FYI: dfa: add an assertion to avoid coverity false positive, Paul Eggert, 2016/12/14
  - Re: checked integer arithmetic, Bruno Haible, 2016/12/14
    - Re: checked integer arithmetic, Eric Blake, 2016/12/14
    - Re: checked integer arithmetic, Paul Eggert, 2016/12/14
    - xalloc-oversized PTRDIFF_MAX fix (was: checked integer arithmetic), Paul Eggert, 2016/12/14
    - Re: checked integer arithmetic, Bruno Haible, 2016/12/14
    - Re: checked integer arithmetic, Bruno Haible, 2016/12/15
    - Re: checked integer arithmetic, Paul Eggert <=
    - Re: checked integer arithmetic, Bruno Haible, 2016/12/15
    - Re: checked integer arithmetic, Bruno Haible, 2016/12/15
    - Re: checked integer arithmetic, Paul Eggert, 2016/12/16
  - Re: FYI: dfa: add an assertion to avoid coverity false positive, Paul Eggert, 2016/12/14

Prev by Date: Re: bug#22357: grep -f not only huge memory usage, but also huge time cost
Next by Date: init.sh: add option to preserve temporary files
Previous by thread: Re: checked integer arithmetic
Next by thread: Re: checked integer arithmetic
Index(es):
- Date
- Thread