# HG changeset patch # User Paul Eggert # Date 1300690769 25200 # Node ID fa909c29c50ecd0867149099848588b881ce098a # Parent 099915a3d0a0c31e67139950ff5391d50ca33272 strftime: don't assume a byte count fits in 'int' * lib/strftime.c (add): Don't assume first arg fits in 'int'. I found this problem by static analysis, using gcc -Wstrict-overflow (GCC 4.5.2, x86-64). This reported an optimization that depended on an integer overflow having undefined behavior, but it turns out that the argument is a size, which might not fit in 'int' anyway, 2011-03-20 Paul Eggert diff --git a/ChangeLog b/ChangeLog --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2011-03-20 Paul Eggert + + strftime: don't assume a byte count fits in 'int' + * lib/strftime.c (add): Don't assume first arg fits in 'int'. I + found this problem by static analysis, using gcc -Wstrict-overflow + (GCC 4.5.2, x86-64). This reported an optimization that depended + on an integer overflow having undefined behavior, but it turns out + that the argument is a size, which might not fit in 'int' anyway, + 2011-03-20 Paul Eggert stdio: don't require ignore_value around fwrite diff --git a/lib/strftime.c b/lib/strftime.c --- a/lib/strftime.c +++ b/lib/strftime.c @@ -172,15 +172,15 @@ #define add(n, f) \ do \ { \ - int _n = (n); \ - int _delta = width - _n; \ - int _incr = _n + (_delta > 0 ? _delta : 0); \ - if ((size_t) _incr >= maxsize - i) \ + size_t _n = (n); \ + size_t _incr = _n < width ? width : _n; \ + if (_incr >= maxsize - i) \ return 0; \ if (p) \ { \ - if (digits == 0 && _delta > 0) \ + if (digits == 0 && _n < width) \ { \ + size_t _delta = width - _n; \ if (pad == L_('0')) \ memset_zero (p, _delta); \ else \