Hi Florian, hi Frank!
Frank Küster [2005-12-08 22:55 +0100]:
> Florian Weimer <[EMAIL PROTECTED]> wrote:
> > By the way, the gmallocn function suffers from undefined integer
> > overflow, too:
> >
> > void *gmallocn(int nObjs, int objSize) {
> > int n;
> >
> > n = nObjs * objSize;
> > if (objSize == 0 || n / objSize != nObjs) {
> > fprintf(stderr, "Bogus memory allocation size\n");
> > exit(1);
> > }
> > return gmalloc(n);
> > }
>
> What's the problem here? That the value in "n" is undefined, and
> therefore the comparison n / objSize != nObjs is undefined, too?n is not 'undefined' here. For every given nObjs and objSize input, it always gets the same well-defined value. We can assume that objSize is a small positive number, since it is not user defined (just a sizeof value). The function works correctly for positive number of nObjs (both valid and invalid), but there is a corner case for negative nOjbs. Since gmalloc() takes a size_t (unsigned), in most cases gmalloc() will allocate more memory than required for a negative argument. However, when n is exactly -2^31 you could see an off-by-one memory allocation error. Indeed the function should completely be written using unsigned arithmetics, otherwise your head will just explode. Florian, is that what you meant? Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
