Arithmetic overflow in set_len
Closed this issue · 4 comments
yallop commented
set_len
should
@raise Invalid_argument if [len] exceeds the size of the buffer.
However:
# Cstruct.(set_len ((sub (create 10) 5 5)) max_int );;
- : Cstruct.t = {Cstruct.buffer = <abstr>; off = 5; len = 4611686018427387903}
More dramatic illustration:
# Cstruct.(blit (create 0xfffff) 0 (set_len ((sub (create 10) 5 5)) max_int ) 0 0xfffff);;
Segmentation fault
avsm commented
with #164 this should be now raising an exception in check_bounds
Cstruct.(set_len ((sub (create 10) 5 5)) max_int );;
Exception: Invalid_argument "Cstruct.set_len [5,5](10) 4611686018427387903".
Adding a test case...
avsm commented
And the second case:
Cstruct.(blit (create 0xfffff) 0 (set_len ((sub (create 10) 5 5)) max_int ) 0 0xfffff);;
Exception: Invalid_argument "Cstruct.set_len [5,5](10) 4611686018427387903"
yallop commented
Closing as fixed. (The fix relies on the fact that adding two positive numbers cannot overflow and produce a positive number.)