FW: [casting; overflow detection]

Joseph S. Myers jsm at polyomino.org.uk
Tue Feb 15 01:28:01 UTC 2011

On Mon, 14 Feb 2011, Paul Eggert wrote:

> On 02/14/2011 07:59 AM, Olson, Arthur David (NIH/NCI) [E] wrote:
> > Does the code available at...
> > 	http://www.cert.org/secure-coding/integralsecurity.html
> > ...survive gcc's latest optimizations?
> I doubt whether anybody knows the answer to that question.
> Looking at the code, I'm not sure I'd trust that code all that
> much, as I found a systemic bug in it after five minutes'
> worth of investigation.  In multiple places it
> naively assumes that integer division can't overflow,
> which of course is incorrect for two's complement arithmetic.

And in addition to integer division being able to overflow, the modulo 
operation INT_MIN % -1 is also undefined in C for two's complement 
arithmetic (C1X makes this undefinedness explicit after the committee 
confirmed it was as intended).  The code appears to ignore that as well.

Joseph S. Myers
jsm at polyomino.org.uk

More information about the tz mailing list