Hi Here are more signed int overflows with undefined behavior discovered with the IOC tool (http://embed.cs.utah.edu/ioc/):
CLANG ARITHMETIC UNDEFINED at <move.c, (2591:12)> : Op: +, Reason :
Signed Addition Overflow, BINARY OPERATION: left (int32): 2147483647
right (int32): 1
CLANG ARITHMETIC UNDEFINED at <move.c, (2603:12)> : Op: +, Reason :
Signed Addition Overflow, BINARY OPERATION: left (int32): 2147483647
right (int32): 2147483647
CLANG ARITHMETIC UNDEFINED at <move.c, (2603:41)> : Op: +, Reason :
Signed Addition Overflow, BINARY OPERATION: left (int32): 2147483647
right (int32): 1
I can reproduce these overflows as follows:
$ yes 1 | head -5 > 1
$ yes 2 | head -5 > 2
$ vim -u NONE -c 'set wrap' -d 1 2
Then press <PgDown> followed by <PgUp> and the overflow happens.
Even assuming a two's complement representation of
signed value, I think that code is still wrong here:
move.c:
2591 if (h3 + h2 > min_height)
2592 {
2593 *lp = loff0; /* no overlap */
2594 return;
2595 }
h3 and/or h2 are signed int variables. They can be
equal to MAXCOL (0x7fffffffL). So the addition
at line 2591 can overflow giving in general a negative
value (but in theory behavior is undefined for signed
int overflows). The intention of MAXCOL here was
behave as a large height.
Attached patch fixes it but please review it.
IOC tool no longer complains with the patch.
Regards
-- Dominique
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
fixed-signed-overflow-move.c-7.3.712.patch
Description: Binary data
