Now I see.
I have worked on this too mich - I keep seeing what I believe it is
instead of what it actually is.
Fixed in both rawSpace and reserveSpace.
On Wed, Jul 31, 2013 at 7:12 PM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 07/31/2013 11:11 AM, Alex Rousskov wrote:
>> On 07/31/2013 10:12 AM, Kinkie wrote:
>>>>>> Not if the math overflowed down to a smaller value before it even got
>>>>>> passed
>>>>>> to reserveCapacity().
>>>>>
>>>>> Ok. I'm going to check minSpace. maxSize+minSpace is definitely not
>>>>> enough to overflow size_type
>>>>
>>>>
>>>> minSpace is controlled completely by the unknown caller code. It may be
>>>> UINT_MAX or something equally capable of overflowing when you add to it.
>>
>>
>>> What is currently done is:
>>>
>>> reserveSpace(minSpace) {
>>> reserveCapacity(length()+minSpace);
>>> }
>>
>>
>> Kinkie,
>>
>> I am afraid you are missing the point here. Consider the case where
>> minSpace is the maximum value that size_type can hold and length() is
>> 100. The above sum overflows _before_ any of your checks in
>> reserveCapacity() happen.
>>
>> The correct check in reserveSpace() is:
>>
>> Must(minSpace >= 0 && length() < maximum size_type value - minSpace)
>
>
> Must(minSpace >= 0 && length() <= maximum size_type value - minSpace)
>
> Alex.
>
--
/kinkie
Received on Thu Aug 01 2013 - 08:56:37 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 01 2013 - 12:00:51 MDT