git.ipfire.org Git - thirdparty/libarchive.git/commit

author	Xi Wang <xi.wang@gmail.com>
	Fri, 28 Sep 2012 07:04:42 +0000 (03:04 -0400)
committer	Xi Wang <xi.wang@gmail.com>
	Fri, 28 Sep 2012 07:27:26 +0000 (03:27 -0400)
commit	ff1e3075d08a9a4654c9865940283333dfb985dd
tree	a3f949bb1f26d0b92c14f7f6f400e2070c1a5f4c	tree
parent	66b1a0b7a3b543f2e6f5ae9d59f3de04b80134a0	commit \| diff

Fix signed integer overflow in safe_fprintf()

The following "overflow" check in safe_fprintf() invokes undefined
behavior (signed integer overflow), which is incorrect. Clang will
optimize it away.

int old_length = fmtbuff_length;
fmtbuff_length += fmtbuff_length / 4;
if (old_length > fmtbuff_length) { ... }

The check is in the form:

x > x + x / 4.

As per the C standard, the check is equivalent to:

0 > x / 4,

since x + x / 4 is assumed to not overflow (otherwise undefined).

An earlier check ensures x >= 8192, so this check is always false,
and Clang doesn't emit code for it.

This patch uses unsigned integers to avoid undefined behavior.