Now I see. I have worked on this too mich - I keep seeing what I believe it is instead of what it actually is. Fixed in both rawSpace and reserveSpace.
On Wed, Jul 31, 2013 at 7:12 PM, Alex Rousskov <rouss...@measurement-factory.com> wrote: > On 07/31/2013 11:11 AM, Alex Rousskov wrote: >> On 07/31/2013 10:12 AM, Kinkie wrote: >>>>>> Not if the math overflowed down to a smaller value before it even got >>>>>> passed >>>>>> to reserveCapacity(). >>>>> >>>>> Ok. I'm going to check minSpace. maxSize+minSpace is definitely not >>>>> enough to overflow size_type >>>> >>>> >>>> minSpace is controlled completely by the unknown caller code. It may be >>>> UINT_MAX or something equally capable of overflowing when you add to it. >> >> >>> What is currently done is: >>> >>> reserveSpace(minSpace) { >>> reserveCapacity(length()+minSpace); >>> } >> >> >> Kinkie, >> >> I am afraid you are missing the point here. Consider the case where >> minSpace is the maximum value that size_type can hold and length() is >> 100. The above sum overflows _before_ any of your checks in >> reserveCapacity() happen. >> >> The correct check in reserveSpace() is: >> >> Must(minSpace >= 0 && length() < maximum size_type value - minSpace) > > > Must(minSpace >= 0 && length() <= maximum size_type value - minSpace) > > Alex. > -- /kinkie