Frank K=FCster [2005-12-08 22:55 +0100]:
> Florian Weimer <email address hidden> wrote:
> > By the way, the gmallocn function suffers from undefined integer
> > overflow, too:
> >
> > void *gmallocn(int nObjs, int objSize) {
> > int n;
> >
> > n =3D nObjs * objSize;
> > if (objSize =3D=3D 0 || n / objSize !=3D nObjs) {
> > fprintf(stderr, "Bogus memory allocation size\n");
> > exit(1);
> > }
> > return gmalloc(n);
> > }
>=20
> What's the problem here? That the value in "n" is undefined, and
> therefore the comparison n / objSize !=3D nObjs is undefined, too?
n is not 'undefined' here. For every given nObjs and objSize input, it
always gets the same well-defined value.
We can assume that objSize is a small positive number, since it is not
user defined (just a sizeof value). The function works correctly for
positive number of nObjs (both valid and invalid), but there is a
corner case for negative nOjbs. Since gmalloc() takes a size_t
(unsigned), in most cases gmalloc() will allocate more memory than
required for a negative argument. However, when n is exactly -2^31 you
could see an off-by-one memory allocation error.
Indeed the function should completely be written using unsigned
arithmetics, otherwise your head will just explode.
Message-ID: <email address hidden> 1?Q?K=FCster? = <email address hidden>,
Date: Fri, 9 Dec 2005 10:40:39 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-
Florian Weimer <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
--+sHJum3is6Tsg7/J Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi Florian, hi Frank!
Frank K=FCster [2005-12-08 22:55 +0100]:
> Florian Weimer <email address hidden> wrote:
> > By the way, the gmallocn function suffers from undefined integer
> > overflow, too:
> >
> > void *gmallocn(int nObjs, int objSize) {
> > int n;
> >
> > n =3D nObjs * objSize;
> > if (objSize =3D=3D 0 || n / objSize !=3D nObjs) {
> > fprintf(stderr, "Bogus memory allocation size\n");
> > exit(1);
> > }
> > return gmalloc(n);
> > }
>=20
> What's the problem here? That the value in "n" is undefined, and
> therefore the comparison n / objSize !=3D nObjs is undefined, too?
n is not 'undefined' here. For every given nObjs and objSize input, it
always gets the same well-defined value.
We can assume that objSize is a small positive number, since it is not
user defined (just a sizeof value). The function works correctly for
positive number of nObjs (both valid and invalid), but there is a
corner case for negative nOjbs. Since gmalloc() takes a size_t
(unsigned), in most cases gmalloc() will allocate more memory than
required for a negative argument. However, when n is exactly -2^31 you
could see an off-by-one memory allocation error.
Indeed the function should completely be written using unsigned
arithmetics, otherwise your head will just explode.
Florian, is that what you meant?
Thanks,
Martin www.piware. de www.ubuntu. com www.debian. org
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In a world without walls and fences, who needs Windows and Gates?
--+sHJum3is6Tsg7/J pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAszsAKDLSb1yi FXd8tN7vuSDWheE j29JrQCgrmNY r9fL/tiU=
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDmVEXDec
fW6rC4vrRfj4o5h
=lnnp
-----END PGP SIGNATURE-----
--+sHJum3is6Tsg 7/J--