Arithmetic overflow in set_len

Question

Arithmetic overflow in set_len

Closed this issue 7 years ago · 4 comments

set_len should

@raise Invalid_argument if [len] exceeds the size of the buffer.

However:

# Cstruct.(set_len ((sub (create 10) 5 5)) max_int );;
- : Cstruct.t = {Cstruct.buffer = <abstr>; off = 5; len = 4611686018427387903}

More dramatic illustration:

# Cstruct.(blit (create 0xfffff) 0 (set_len ((sub (create 10) 5 5)) max_int ) 0 0xfffff);;
Segmentation fault

Answer 1 · 2017-07-11T10:40:41.000Z

with #164 this should be now raising an exception in check_bounds

Cstruct.(set_len ((sub (create 10) 5 5)) max_int );;
Exception: Invalid_argument "Cstruct.set_len [5,5](10) 4611686018427387903".

Adding a test case...

Answer 2 · 2017-07-11T10:41:05.000Z

And the second case:

Cstruct.(blit (create 0xfffff) 0 (set_len ((sub (create 10) 5 5)) max_int ) 0 0xfffff);;
Exception: Invalid_argument "Cstruct.set_len [5,5](10) 4611686018427387903"

Answer 3 · 2017-07-12T11:10:32.000Z

Closing as fixed. (The fix relies on the fact that adding two positive numbers cannot overflow and produce a positive number.)

Answer 4 · 2017-07-12T12:48:22.000Z

Thanks @yallop! Fix will be in 3.1.0