Add some more overflow checks inside array allocation #1675
Conversation
src/rt/lifetime.d
Outdated
@@ -274,7 +274,8 @@ bool __setArrayAllocLength(ref BlkInfo info, size_t newlength, bool isshared, co | |||
|
|||
if(info.size <= 256) | |||
{ | |||
if(newlength + SMALLPAD + typeInfoSize > info.size) | |||
auto newlength_padded = newlength + SMALLPAD + typeInfoSize; | |||
if(newlength + SMALLPAD + typeInfoSize > info.size || newlength_padded < newlength) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DRY: if (newlength_padded > info.size ||
I'd probably use |
{ | ||
void[] buffer; | ||
buffer.length = 1; | ||
buffer.length = size_t.max; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file seems to have exactly the same content as overflow_from_existing.d
. Is that on purpose?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, I completely missed it!
Yes, please use |
Well, this is all nice to see on a PR :-) I'll check and and use the |
If the array length is too large, and the element size small enough, the overflow might go undetected in the check while multiplying array size and element size, but it can later manifest when adding padding, etc. https://issues.dlang.org/show_bug.cgi?id=16470
|
Updated to use |
And commit title to trigger bugzilla integration. |
Friendly ping :-) |
Auto-merge toggled on |
https://issues.dlang.org/show_bug.cgi?id=16470