[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

Martin Pitt <mpitt@debian.org> wrote:

> Hi Florian, hi Frank!
>
> Frank Küster [2005-12-08 22:55 +0100]:
>> Florian Weimer <fw@deneb.enyo.de> wrote:
>> > By the way, the gmallocn function suffers from undefined integer
>> > overflow, too:
>> >
>> > void *gmallocn(int nObjs, int objSize) {
>> >   int n;
>> >
>> >   n = nObjs * objSize;
>> >   if (objSize == 0 || n / objSize != nObjs) {
>> >     fprintf(stderr, "Bogus memory allocation size\n");
>> >     exit(1);
>> >   }
>> >   return gmalloc(n);
>> > }
>> 
>> What's the problem here?  That the value in "n" is undefined, and
>> therefore the comparison n / objSize != nObjs is undefined, too?
>
> n is not 'undefined' here. For every given nObjs and objSize input, it
> always gets the same well-defined value.
>
> We can assume that objSize is a small positive number, since it is not
> user defined (just a sizeof value). The function works correctly for
> positive number of nObjs (both valid and invalid), 

But what if nObjs * objSize is larger than fits into an int?

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: