From: Paul Eggert Date: Mon, 21 Mar 2011 06:59:29 +0000 (-0700) Subject: strftime: don't assume a byte count fits in 'int' X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ed06c55c442f0ef2ba1ac32b8420bb595c0b98d;p=pspp strftime: don't assume a byte count fits in 'int' * lib/strftime.c (add): Don't assume first arg fits in 'int'. I found this problem by static analysis, using gcc -Wstrict-overflow (GCC 4.5.2, x86-64). This reported an optimization that depended on an integer overflow having undefined behavior, but it turns out that the argument is a size, which might not fit in 'int' anyway, 2011-03-20 Paul Eggert --- diff --git a/ChangeLog b/ChangeLog index 168a6e9a9c..3b24b8b2ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2011-03-20 Paul Eggert + + strftime: don't assume a byte count fits in 'int' + * lib/strftime.c (add): Don't assume first arg fits in 'int'. I + found this problem by static analysis, using gcc -Wstrict-overflow + (GCC 4.5.2, x86-64). This reported an optimization that depended + on an integer overflow having undefined behavior, but it turns out + that the argument is a size, which might not fit in 'int' anyway, + 2011-03-20 Paul Eggert stdio: don't require ignore_value around fwrite diff --git a/lib/strftime.c b/lib/strftime.c index 0a02b50774..95d5beeb84 100644 --- a/lib/strftime.c +++ b/lib/strftime.c @@ -172,15 +172,15 @@ extern char *tzname[]; #define add(n, f) \ do \ { \ - int _n = (n); \ - int _delta = width - _n; \ - int _incr = _n + (_delta > 0 ? _delta : 0); \ - if ((size_t) _incr >= maxsize - i) \ + size_t _n = (n); \ + size_t _incr = _n < width ? width : _n; \ + if (_incr >= maxsize - i) \ return 0; \ if (p) \ { \ - if (digits == 0 && _delta > 0) \ + if (digits == 0 && _n < width) \ { \ + size_t _delta = width - _n; \ if (pad == L_('0')) \ memset_zero (p, _delta); \ else \