avoid undefined behavior in libiberty/cplus-dem.c

Message ID	Pine.LNX.4.64.1301062320070.31599@escalante.csail.mit.edu
State	New
Headers	show Return-Path: <gcc-patches-return-335037-incoming=patchwork.ozlabs.org@gcc.gnu.org> Comment: DKIM? See http://www.dkim.org Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org; h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:Received:Date:From:To:cc:Subject:Message-ID:MIME-Version:Content-Type:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To; b=LJ34RTDQV5BruLfjFbstla3N+QZyAGj1TCh5BIe6UzImRcY08Esvzq6uz1lhk5 OTFz9KX7u45FVdpYcQJFP+MbaGKR4uwv7kjDMg3vZIzX5hlE/rDmaQ5COb8x7O9X FM/ko5kOb2l4kUoh9s+MPBQbCF6nFWcEhG3hFi3Xih2YQ=; Date: Sun, 6 Jan 2013 23:25:44 -0500 (EST) From: Nickolai Zeldovich <nickolai@csail.mit.edu> To: gcc-patches@gcc.gnu.org cc: nickolai@csail.mit.edu Subject: [PATCH] avoid undefined behavior in libiberty/cplus-dem.c Message-ID: <Pine.LNX.4.64.1301062320070.31599@escalante.csail.mit.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org

Message ID

Pine.LNX.4.64.1301062320070.31599@escalante.csail.mit.edu

State

New

Headers

Comment: DKIM? See http://www.dkim.org
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org;
	h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:Received:Date:From:To:cc:Subject:Message-ID:MIME-Version:Content-Type:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To;
	b=LJ34RTDQV5BruLfjFbstla3N+QZyAGj1TCh5BIe6UzImRcY08Esvzq6uz1lhk5
	OTFz9KX7u45FVdpYcQJFP+MbaGKR4uwv7kjDMg3vZIzX5hlE/rDmaQ5COb8x7O9X
	FM/ko5kOb2l4kUoh9s+MPBQbCF6nFWcEhG3hFi3Xih2YQ=;
Date: Sun, 6 Jan 2013 23:25:44 -0500 (EST)
From: Nickolai Zeldovich <nickolai@csail.mit.edu>
To: gcc-patches@gcc.gnu.org
cc: nickolai@csail.mit.edu
Subject: [PATCH] avoid undefined behavior in libiberty/cplus-dem.c
Message-ID: <Pine.LNX.4.64.1301062320070.31599@escalante.csail.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org

Commit Message

Nickolai Zeldovich Jan. 7, 2013, 4:25 a.m. UTC

consume_count() in libiberty/cplus-dem.c relies on signed integer overflow 
(which is undefined behavior in C) to detect overflow when parsing a count 
value.  As a result, recent versions of gcc (e.g., 4.7.2) will remove that 
if check altogether as dead code, since it can only be true with UB.  The 
patch below replaces the overflow check with one that does not rely on UB.

Nickolai.

Comments

Jakub Jelinek Jan. 7, 2013, 8:18 a.m. UTC | #1

On Sun, Jan 06, 2013 at 11:25:44PM -0500, Nickolai Zeldovich wrote:
> @@ -494,20 +505,15 @@
> 
>    while (ISDIGIT ((unsigned char)**type))
>      {
> -      count *= 10;
> -
> -      /* Check for overflow.
> -	 We assume that count is represented using two's-complement;
> -	 no power of two is divisible by ten, so if an overflow occurs
> -	 when multiplying by ten, the result will not be a multiple of
> -	 ten.  */
> -      if ((count % 10) != 0)
> +      /* Check whether we can add another digit without overflow. */
> +      if (count > (INT_MAX - 9) / 10)
>  	{
>  	  while (ISDIGIT ((unsigned char) **type))
>  	    (*type)++;
>  	  return -1;
>  	}
> 
> +      count *= 10;
>        count += **type - '0';
>        (*type)++;

Won't the above preclude parsing 2147483640 up to 2147483647 ?
Because then in the last iteration count 214748364 > (INT_MAX - 9) / 10.

	Jakub

Index: libiberty/cplus-dem.c
===================================================================
--- libiberty/cplus-dem.c	(revision 194959)
+++ libiberty/cplus-dem.c	(working copy)
@@ -48,7 +48,18 @@ 
  #include <sys/types.h>
  #include <string.h>
  #include <stdio.h>
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif

+#ifndef UINT_MAX
+#define UINT_MAX	((unsigned int)(~0U))		/* 0xFFFFFFFF */
+#endif
+
+#ifndef INT_MAX
+#define INT_MAX		((int)(UINT_MAX >> 1))		/* 0x7FFFFFFF */
+#endif
+
  #ifdef HAVE_STDLIB_H
  #include <stdlib.h>
  #else
@@ -494,20 +505,15 @@ 

    while (ISDIGIT ((unsigned char)**type))
      {
-      count *= 10;
-
-      /* Check for overflow.
-	 We assume that count is represented using two's-complement;
-	 no power of two is divisible by ten, so if an overflow occurs
-	 when multiplying by ten, the result will not be a multiple of
-	 ten.  */
-      if ((count % 10) != 0)
+      /* Check whether we can add another digit without overflow. */
+      if (count > (INT_MAX - 9) / 10)
  	{
  	  while (ISDIGIT ((unsigned char) **type))
  	    (*type)++;
  	  return -1;
  	}

+      count *= 10;
        count += **type - '0';
        (*type)++;
      }

avoid undefined behavior in libiberty/cplus-dem.c

Commit Message

Comments

Patch