From: "René Scharfe" <l.s.r@web.de>
To: Junio C Hamano <gitster@pobox.com>
Cc: Phillip Wood via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, Phillip Wood <phillip.wood@dunelm.org.uk>
Subject: Re: [PATCH 3/3] git_parse_signed(): avoid integer overflow
Date: Sun, 23 Oct 2022 07:57:00 +0200 [thread overview]
Message-ID: <c24c3ac9-0de6-62f6-607f-2d8f69ca9fa8@web.de> (raw)
In-Reply-To: <xmqqv8obhkeb.fsf@gitster.g>
Am 22.10.22 um 18:51 schrieb Junio C Hamano:
> René Scharfe <l.s.r@web.de> writes:
>
>>>> + if (max < 0)
>>>> + BUG("max must be a positive integer");
>>>
>>> In parse_signed(), would we expect to accept end-user input that is
>>> a negative integer? We must. Otherwise we would not be calling a
>>> "signed" parser. Now, are there cases where the valid value range
>>> is bounded by a negative integer at the top? No current callers may
>>> pass such a value, but is it reasonable to add such a new constraints
>>> to an existing API function?
>>
>> Hmm, if minimum and maximum are not symmetric, then we need to supply
>> both, don't we?
>
> Ah, thanks for injecting doze of sanity---I totally missed that the
> bound was about the absolute value, so we can say "this is signed,
> and the allowed values are (-3, -2, -1, 0, 1, 2, 3). If so, then the
> "reject negative max" in the posted patch is not a problem as I said
> above. I somehow thought that giving -1 as "max" would allow callers
> to say "non-negative numbers are not allowed". But that is not what
> is going on.
Right, currently the value of `max` is used to check the absolute value,
i.e. it imposes a limit in both the positive and negative direction.
> Allowing callers to specify both lower and uppoer bounds so that
> they can say "the allowed values are (-1, 0, 1, 2, 3)", while it
> might make it more useful, is a separate new feature development and
> outside the scope of "let's tighten the parsing of end user input"
> Phillip has here.
Allowing arbitrary limits in both directions might be a new feature, but
it's required if we want to support the full range of values. E.g. on
my system INT_MAX is 2147483647 and INT_MIN is -2147483647-1. Currently
git_parse_int() rejects INT_MIN as out of range.
In my eyes the assumption that a single limit can be used to check both
directions of the signed number line is flawed and caused the undefined
behavior. Dropping it avoids tricky calculations that try to infer the
lower limit somehow and opens the full range of values to us.
That said, I'm not sure how useful the values INT_MIN, INT64_MIN and
SSIZE_MIN (which unlike SSIZE_MAX is not defined by POSIX [*]) actually
are. But doing the checks properly requires separate min and max values.
René
[*] Perhaps git_parse_ssize_t() should reject values less than -1; only
that single negative number is needed to represent errors or unlimited.
next prev parent reply other threads:[~2022-10-23 5:57 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-21 13:45 [PATCH 0/3] a few config integer parsing fixes Phillip Wood via GitGitGadget
2022-10-21 13:45 ` [PATCH 1/3] git_parse_unsigned: reject negative values Phillip Wood via GitGitGadget
2022-10-21 18:09 ` Junio C Hamano
2022-10-21 20:13 ` Jeff King
2022-10-22 17:54 ` Junio C Hamano
2022-10-21 13:45 ` [PATCH 2/3] config: require at least one digit when parsing numbers Phillip Wood via GitGitGadget
2022-10-21 18:19 ` Junio C Hamano
2022-10-25 9:54 ` Phillip Wood
2022-10-25 16:08 ` Junio C Hamano
2022-10-21 20:17 ` Jeff King
2022-10-22 17:51 ` Junio C Hamano
2022-10-22 20:25 ` Jeff King
2022-10-22 21:00 ` Junio C Hamano
2022-10-25 9:55 ` Phillip Wood
2022-10-21 13:45 ` [PATCH 3/3] git_parse_signed(): avoid integer overflow Phillip Wood via GitGitGadget
2022-10-21 18:31 ` Junio C Hamano
2022-10-22 8:09 ` René Scharfe
2022-10-22 16:51 ` Junio C Hamano
2022-10-23 5:57 ` René Scharfe [this message]
2022-10-25 10:00 ` Phillip Wood
2022-10-26 11:01 ` René Scharfe
2022-11-09 14:16 ` [PATCH v2 0/3] a few config integer parsing fixes Phillip Wood via GitGitGadget
2022-11-09 14:16 ` [PATCH v2 1/3] git_parse_unsigned: reject negative values Phillip Wood via GitGitGadget
2022-11-09 15:57 ` Ævar Arnfjörð Bjarmason
2022-11-09 14:16 ` [PATCH v2 2/3] config: require at least one digit when parsing numbers Phillip Wood via GitGitGadget
2022-11-09 14:16 ` [PATCH v2 3/3] git_parse_signed(): avoid integer overflow Phillip Wood via GitGitGadget
2022-11-10 2:35 ` [PATCH v2 0/3] a few config integer parsing fixes Taylor Blau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c24c3ac9-0de6-62f6-607f-2d8f69ca9fa8@web.de \
--to=l.s.r@web.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=phillip.wood@dunelm.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).