catching sign promotions
writing about 64 bit systems.
lengths of buffers > 2^31 are negative int32.
cast from negative int32 to size_t leads to *large* size_t, effectively
increasing the length:
(size_t) (int32) (2^32-1) == 2^64-1
gcc's -Wconversion warns about different width, but does not warn about
sign promotion.
is it easy to catch such cases *focusing on copying funcions*?
i am tempted by the ugly preprocessor kludge:
#undef memcpy
#define memcpy(dest,src,size) \
{(((typeof(size)) 0xFFFFFFFF) < 0 ) ? 1/0 : 1; \
__builtin__memcpy (dest, src, size);}
(the ugliness 1/0 is because i don't know how to get warning inside
macro)
example crashing testcase:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main() {
volatile int s;
char *a,*b;
s=(1<<31)+1;
a=calloc(1,(unsigned int) s);
b=calloc(1,(unsigned int) s);
printf("%08x %p %p\n",s,a,b);
memcpy(a,b,s);
return(0);
}
_______________________________________________
dev-static-analysis mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-static-analysis
