Dominique Pelle wrote:
> Here are more signed int overflows with undefined behavior
> discovered with the IOC tool (http://embed.cs.utah.edu/ioc/):
>
> CLANG ARITHMETIC UNDEFINED at <move.c, (2591:12)> : Op: +, Reason :
> Signed Addition Overflow, BINARY OPERATION: left (int32): 2147483647
> right (int32): 1
>
> CLANG ARITHMETIC UNDEFINED at <move.c, (2603:12)> : Op: +, Reason :
> Signed Addition Overflow, BINARY OPERATION: left (int32): 2147483647
> right (int32): 2147483647
>
> CLANG ARITHMETIC UNDEFINED at <move.c, (2603:41)> : Op: +, Reason :
> Signed Addition Overflow, BINARY OPERATION: left (int32): 2147483647
> right (int32): 1
>
> I can reproduce these overflows as follows:
>
> $ yes 1 | head -5 > 1
> $ yes 2 | head -5 > 2
> $ vim -u NONE -c 'set wrap' -d 1 2
>
> Then press <PgDown> followed by <PgUp> and the overflow happens.
>
> Even assuming a two's complement representation of
> signed value, I think that code is still wrong here:
>
> move.c:
>
> 2591 if (h3 + h2 > min_height)
> 2592 {
> 2593 *lp = loff0; /* no overlap */
> 2594 return;
> 2595 }
>
> h3 and/or h2 are signed int variables. They can be
> equal to MAXCOL (0x7fffffffL). So the addition
> at line 2591 can overflow giving in general a negative
> value (but in theory behavior is undefined for signed
> int overflows). The intention of MAXCOL here was
> behave as a large height.
>
> Attached patch fixes it but please review it.
>
> IOC tool no longer complains with the patch.
Thanks, I'll add this to the todo list.
--
Shift happens.
-- Doppler
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
