On 07/31/2013 11:11 AM, Alex Rousskov wrote:
> On 07/31/2013 10:12 AM, Kinkie wrote:
>>>>> Not if the math overflowed down to a smaller value before it even got
>>>>> passed
>>>>> to reserveCapacity().
>>>>
>>>> Ok. I'm going to check minSpace. maxSize+minSpace is definitely not
>>>> enough to overflow size_type
>>>
>>>
>>> minSpace is controlled completely by the unknown caller code. It may be
>>> UINT_MAX or something equally capable of overflowing when you add to it.
>
>
>> What is currently done is:
>>
>> reserveSpace(minSpace) {
>> reserveCapacity(length()+minSpace);
>> }
>
>
> Kinkie,
>
> I am afraid you are missing the point here. Consider the case where
> minSpace is the maximum value that size_type can hold and length() is
> 100. The above sum overflows _before_ any of your checks in
> reserveCapacity() happen.
>
> The correct check in reserveSpace() is:
>
> Must(minSpace >= 0 && length() < maximum size_type value - minSpace)
Must(minSpace >= 0 && length() <= maximum size_type value - minSpace)
Alex.
Received on Wed Jul 31 2013 - 17:12:32 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 31 2013 - 12:00:07 MDT