integer overflows in the standard library #3420
Comments
|
Comment author: administrator
You're entirely right, and this bug has been around for ages. (Blush.)
I believe that works as well, since subtraction between two non-negative integers cannot Thanks for a well-spotted bug report.
|
|
Comment author: administrator Fixed 2002-07-12 by XL |
Original bug ID: 1229
Reporter: administrator
Status: closed
Resolution: fixed
Priority: normal
Severity: minor
Category: ~DO NOT USE (was: OCaml general)
Bug description
Full_Name: Andy Chou
Version: 3.04
OS: Linux
Submission from: acc.stanford.edu (128.12.185.77)
Hi,
The standard library has many places where insufficient checking is done for
integer overflow. Here are a few examples that cause seg faults (certainly
there are more places where this happens):
(* the input/output functions in Pervasives *)
let _ =
let f = open_out "f" in
output f "" 0x3fffffff 1
(* String *)
let _ = String.sub "" 0x3fffffff 1
let _ = String.fill "" 0x3fffffff 1 'a'
(* Buffer *)
let _ =
let b = Buffer.create 10 in
Buffer.add_substring b "" 0x3fffffff 1
The problem is basically code like the following:
if ofs < 0 || len < 0 || ofs + len > length s
then invalid_arg "String.sub"
where ofs + len might overflow. A better check might look like:
if ofs < 0 || len < 0 || ofs + len < 0 || ofs + len > length s
Better yet, if unsigned comparison was made available from Ocaml using, say,
operator ">u", then you could write:
if ofs < 0 || len < 0 || ofs + len >u length s
By the way, I've really enjoyed learning Ocaml. Thanks for all the hard work
making this language come to life in a powerful way.
-Andy
The text was updated successfully, but these errors were encountered: