FW: [casting; overflow detection]
Joseph S. Myers
jsm at polyomino.org.uk
Tue Feb 15 01:28:01 UTC 2011
On Mon, 14 Feb 2011, Paul Eggert wrote:
> On 02/14/2011 07:59 AM, Olson, Arthur David (NIH/NCI) [E] wrote:
> > Does the code available at...
> > http://www.cert.org/secure-coding/integralsecurity.html
> > ...survive gcc's latest optimizations?
>
> I doubt whether anybody knows the answer to that question.
>
> Looking at the code, I'm not sure I'd trust that code all that
> much, as I found a systemic bug in it after five minutes'
> worth of investigation. In multiple places it
> naively assumes that integer division can't overflow,
> which of course is incorrect for two's complement arithmetic.
And in addition to integer division being able to overflow, the modulo
operation INT_MIN % -1 is also undefined in C for two's complement
arithmetic (C1X makes this undefinedness explicit after the committee
confirmed it was as intended). The code appears to ignore that as well.
--
Joseph S. Myers
jsm at polyomino.org.uk
More information about the tz
mailing list