On 04/01/2012 08:49 AM, Niels Möller wrote:
>> I was wondering on how other gnu programs handle integer overflows. > I think in many cases it is simpler and good enough to enforce > reasonable (butsomewhat arbitrary) limits on the inputs. > E.g., if you require that all der length fields are less than 2^20, > that may be sufficient to avoid overflows (assuming that int is at > least 32 bits). Sure, it's perfectly ok with the spec to include a > multi-gigabyte cat movie in an x.509 certificate, but that doesn't mean > that it's a good idea to actually support such certificates. > >> http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=3873c6a49122e3f15901646e072938557acd3f8e > > Some comments: > > 1. Do you really need signed values? For unsigned, addition overflow is > sligthly simpler, > s = x + y; > if (s < x) overflow... It might be that signed values are not really needed. I'll see whether the same thing can be achieved with unsigned, which will simplify things. > 4. I think this type of code is prone to off-by-one-errors. I haven't > tried to check for that, but one has to consider that carefully, and > maybe some unit tests would make sense. Do you mean the code for the safe multiplication/addition or the original code for parsing asn.1? regards, Nikos
