The obvious caveat to all of this is, in order to fix the saving of a pointer into the hash table values, we are going to have to break binary compatibility anyways, I just see no way around it other than ifdefing this change to 64bit only.. so the answer may be, we totally break binary compatibility badly, but only once, changing all the appropriate API's and data memebers to be size_t.
Thoughts? Mike > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:sofia-sip- > [EMAIL PROTECTED] On Behalf Of Kai Vehmanen > Sent: Tuesday, August 29, 2006 1:28 PM > To: [email protected] > Subject: Re: [Sofia-sip-devel] MSVC detected 64 bit issues. > > Hello, > > On Tue, 29 Aug 2006, Michael Jerris wrote: > > [ if (url->url_port) rv += (int)strlen(url->url_port) + 1; /* plus ':' */ > ] > > I don't disagree with you, but the other option is to change the api to > > use size_t instead of int all over the place, which I am told is not > > really an option as it would totally break ABI. In this case, if the > > url_port is really over the length of max int then you will indeed have > > we can change all the internal uses, but not public structs nor signatures > of public functions. > > But I agree that these should be handled somehow. With or without the > cast, the problem is the same, the value returned by strlen() could > overflow an int and cause havoc (note: the C spec doesn't say anything > about the storage size of size_t -- only that you query it with SIZE_MAX). > If strlen() returns INT_MAX+1, it will result in int value of -1, whether > you cast it or not. > > So any good ideas how to fix this cleanly? Obviously casting to int will > remove the warnings but not cure the problem. > > The options are: > 1) turn ints into size_t's (but no in any public interfaces) > 2) truncate size_t to INT_MAX and then cast to (int) > 3) cast to ints like in Mike's patch > 4) do nothing > > Options 3+4 would basicly require to go through all the cases and see > whether the string could be controlled by an external party (and thus form > a security threat). Otherwise, INT_MAX is so large even on embedded > systems nowadays, that there is very little chance of actual real life > trouble from all these. > > -- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Sofia-sip-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
