|
From: | Paul Eggert |
Subject: | Re: checked integer arithmetic |
Date: | Thu, 15 Dec 2016 10:21:40 -0800 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 |
On 12/15/2016 02:09 AM, Bruno Haible wrote:
So, the limiting factor is the pointer difference operator ptr1 - ptr2 where sizeof (*ptr1,*ptr2) > 1.
Yes, it is the pointer difference operator. However, the problem occurs even with size-1 array elements. For example:
#include <stdint.h> #include <stddef.h> #include <stdlib.h> ptrdiff_t diff (char *a, char *b) { return a - b; } int main (void) { size_t n = PTRDIFF_MAX / 2 + 1; size_t size = 2 * n; char *x = malloc (size); return 0 < diff (x + size, x); } 'main' returns 0 on Fedora 24 (x86-64 or x86).
* We have no problem with code that only works with indices and never does pointer differences or pointer comparisons.
I don't see a problem with pointer comparisons, just pointer differences.
No, unfortunately large strings do not work, as one cannot reliably compute differences of pointers to their elements.* We have no problem with strings, because sizeof (char) == 1.
One possibility would be to have two flavors of xalloc_oversized. One flavor would check for both ptrdiff_t overflow and size_t overflow, for programs that do pointer subtraction, and the other flavor (yalloc_oversized, say?) would check only for size_t overflow, for programs that never subtract pointers to the allocated storage. All current functions like xnmalloc could have two flavors, so that xnmalloc checks for both kinds of overflow and ynmalloc checks only for size_t overflow. It's not clear to me whether it's worth going to all that effort merely to support 3 GiB arrays in 32-bit applications. In the meantime, I installed the patch I proposed yesterday, along with the additional patches attached, which merely change the x* functions to check for both kinds of overflow.
0001-quotearg-pacify-GCC-better.patch
Description: Source code patch
0002-malloca-do-not-exceed-PTRDIFF_MAX.patch
Description: Source code patch
0003-xalloc-do-not-exceed-PTRDIFF_MAX.patch
Description: Source code patch
0004-safe-alloc-use-xalloc-oversized.patch
Description: Source code patch
[Prev in Thread] | Current Thread | [Next in Thread] |