Debian
tetex-bin package

  1. Bug #26650
  2. Comment #39

Comment 39 for bug 26650

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 9 Dec 2005 10:40:39 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>,
 Florian Weimer <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

--+sHJum3is6Tsg7/J
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Florian, hi Frank!

Frank K=FCster [2005-12-08 22:55 +0100]:
> Florian Weimer <email address hidden> wrote:
> > By the way, the gmallocn function suffers from undefined integer
> > overflow, too:
> >
> > void *gmallocn(int nObjs, int objSize) {
> > int n;
> >
> > n =3D nObjs * objSize;
> > if (objSize =3D=3D 0 || n / objSize !=3D nObjs) {
> > fprintf(stderr, "Bogus memory allocation size\n");
> > exit(1);
> > }
> > return gmalloc(n);
> > }
>=20
> What's the problem here? That the value in "n" is undefined, and
> therefore the comparison n / objSize !=3D nObjs is undefined, too?

n is not 'undefined' here. For every given nObjs and objSize input, it
always gets the same well-defined value.

We can assume that objSize is a small positive number, since it is not
user defined (just a sizeof value). The function works correctly for
positive number of nObjs (both valid and invalid), but there is a
corner case for negative nOjbs. Since gmalloc() takes a size_t
(unsigned), in most cases gmalloc() will allocate more memory than
required for a negative argument. However, when n is exactly -2^31 you
could see an off-by-one memory allocation error.

Indeed the function should completely be written using unsigned
arithmetics, otherwise your head will just explode.

Florian, is that what you meant?

Thanks,

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--+sHJum3is6Tsg7/J
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDmVEXDecnbV4Fd/IRAszsAKDLSb1yiFXd8tN7vuSDWheEj29JrQCgrmNY
fW6rC4vrRfj4o5hr9fL/tiU=
=lnnp
-----END PGP SIGNATURE-----

--+sHJum3is6Tsg7/J--