From: Jeff King <peff@peff.net>
To: "René Scharfe" <l.s.r@web.de>
Cc: Git List <git@vger.kernel.org>, Junio C Hamano <gitster@pobox.com>
Subject: Re: [PATCH 1/2] add COPY_ARRAY
Date: Sun, 25 Sep 2016 03:41:44 -0400 [thread overview]
Message-ID: <20160925074144.44onzv5pub5dxuix@sigill.intra.peff.net> (raw)
In-Reply-To: <6f402d35-b483-7552-2fb2-a5350112b8a6@web.de>
On Sun, Sep 25, 2016 at 09:15:42AM +0200, René Scharfe wrote:
> Add COPY_ARRAY, a safe and convenient helper for copying arrays,
> complementing ALLOC_ARRAY and REALLOC_ARRAY. Users just specify source,
> destination and the number of elements; the size of an element is
> inferred automatically.
Seems like a fairly readable construct to have.
> It checks if the multiplication of size and element count overflows.
> The inferred size is passed first to st_mult, which allows the division
> there to be done at compilation time.
I wonder if this actually stops any real overflows. My goal with
ALLOC_ARRAY, etc, was to catch these at the malloc stage (which is the
really dangerous part, because we don't want to under-allocate). So the
first hunk of your patch is:
ALLOC_ARRAY(result, count + 1);
- memcpy(result, pathspec, count * sizeof(const char *));
+ COPY_ARRAY(result, pathspec, count);
which clearly cannot trigger the st_mult() check, because we would have
done so in the ALLOC_ARRAY call[1].
Other calls are not so obvious, but in general I would expect the
allocation step to be doing this check. If we missed one, then it's
possible that this macro could detect it and prevent a problem. But it
seems like the wrong time to check. The allocation is buggy, and we'd
have to just get lucky to be using COPY_ARRAY(). And I don't even mean
"lucky that we switched to COPY_ARRAY from memcpy for this callsite".
There are lots of sites that allocate and then fill the array one by
one, without ever computing the full size again. So allocation is the
only sensible place to enforce integer overflow.
So I'm not sold on this providing any real integer overflow safety. But
I do otherwise like it, as it drops the extra "sizeof" which has to
repeat either the variable name or the type).
-Peff
[1] Actually, this particular example probably should be using
st_add(count, 1), though it's likely not a problem in practice
("count" is an int, so you cannot easily overflow it back to 0 by
incrementing 1, though of course overflowing it at all is undefined
behavior).
next prev parent reply other threads:[~2016-09-25 7:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-25 7:15 [PATCH 1/2] add COPY_ARRAY René Scharfe
2016-09-25 7:24 ` [PATCH 6/7] use COPY_ARRAY René Scharfe
2016-09-25 7:26 ` René Scharfe
2016-09-25 7:41 ` Jeff King [this message]
2016-09-25 8:58 ` [PATCH 1/2] add COPY_ARRAY René Scharfe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160925074144.44onzv5pub5dxuix@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=l.s.r@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).