Hi Florian, hi Frank! Frank Küster [2005-12-08 22:55 +0100]: > Florian Weimer <[EMAIL PROTECTED]> wrote: > > By the way, the gmallocn function suffers from undefined integer > > overflow, too: > > > > void *gmallocn(int nObjs, int objSize) { > > int n; > > > > n = nObjs * objSize; > > if (objSize == 0 || n / objSize != nObjs) { > > fprintf(stderr, "Bogus memory allocation size\n"); > > exit(1); > > } > > return gmalloc(n); > > } > > What's the problem here? That the value in "n" is undefined, and > therefore the comparison n / objSize != nObjs is undefined, too?
n is not 'undefined' here. For every given nObjs and objSize input, it always gets the same well-defined value. We can assume that objSize is a small positive number, since it is not user defined (just a sizeof value). The function works correctly for positive number of nObjs (both valid and invalid), but there is a corner case for negative nOjbs. Since gmalloc() takes a size_t (unsigned), in most cases gmalloc() will allocate more memory than required for a negative argument. However, when n is exactly -2^31 you could see an off-by-one memory allocation error. Indeed the function should completely be written using unsigned arithmetics, otherwise your head will just explode. Florian, is that what you meant? Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature