Frank Küster [2005-12-08 22:55 +0100]:
> Florian Weimer <email address hidden> wrote:
> > By the way, the gmallocn function suffers from undefined integer
> > overflow, too:
> >
> > void *gmallocn(int nObjs, int objSize) {
> > int n;
> >
> > n = nObjs * objSize;
> > if (objSize == 0 || n / objSize != nObjs) {
> > fprintf(stderr, "Bogus memory allocation size\n");
> > exit(1);
> > }
> > return gmalloc(n);
> > }
>
> What's the problem here? That the value in "n" is undefined, and
> therefore the comparison n / objSize != nObjs is undefined, too?
n is not 'undefined' here. For every given nObjs and objSize input, it
always gets the same well-defined value.
We can assume that objSize is a small positive number, since it is not
user defined (just a sizeof value). The function works correctly for
positive number of nObjs (both valid and invalid), but there is a
corner case for negative nOjbs. Since gmalloc() takes a size_t
(unsigned), in most cases gmalloc() will allocate more memory than
required for a negative argument. However, when n is exactly -2^31 you
could see an off-by-one memory allocation error.
Indeed the function should completely be written using unsigned
arithmetics, otherwise your head will just explode.
Hi Florian, hi Frank!
Frank Küster [2005-12-08 22:55 +0100]:
> Florian Weimer <email address hidden> wrote:
> > By the way, the gmallocn function suffers from undefined integer
> > overflow, too:
> >
> > void *gmallocn(int nObjs, int objSize) {
> > int n;
> >
> > n = nObjs * objSize;
> > if (objSize == 0 || n / objSize != nObjs) {
> > fprintf(stderr, "Bogus memory allocation size\n");
> > exit(1);
> > }
> > return gmalloc(n);
> > }
>
> What's the problem here? That the value in "n" is undefined, and
> therefore the comparison n / objSize != nObjs is undefined, too?
n is not 'undefined' here. For every given nObjs and objSize input, it
always gets the same well-defined value.
We can assume that objSize is a small positive number, since it is not
user defined (just a sizeof value). The function works correctly for
positive number of nObjs (both valid and invalid), but there is a
corner case for negative nOjbs. Since gmalloc() takes a size_t
(unsigned), in most cases gmalloc() will allocate more memory than
required for a negative argument. However, when n is exactly -2^31 you
could see an off-by-one memory allocation error.
Indeed the function should completely be written using unsigned
arithmetics, otherwise your head will just explode.
Florian, is that what you meant?
Thanks,
Martin www.piware. de www.ubuntu. com www.debian. org
--
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In a world without walls and fences, who needs Windows and Gates?