[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160110121557.GR23362@port70.net>
Date: Sun, 10 Jan 2016 13:15:57 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: Possible infinite loop in qsort()
* Markus Wichmann <nullplan@....net> [2016-01-10 12:38:53 +0100]:
> What I did was make sure that nel * width is greater than the greatest
> Leonardo number * width that's representable in the architecture's
> size_t. That is possible for every given width. The inequation I just
size_t overflow is not a problem
unsigned overflow is well defined and the loop is guaranteed
to finish, the only question if it finishes before lp array
is filled, and the answer is yes if object size is restricted
to <= SIZE_MAX/2
> gave boils down to nel > max{l | l is Leonardo number, l * width < 2^32}
>
> But since there are (plenty of) Leonardo numbers between 2^31 and 2^32,
> and object size (nel * width) is limited to <2^31, with a valid object
> the calculation can't overflow. And with an invalid object, I don't know
> if the code as given would even work, as pointer differences wouldn't
> work. Haven't tested that one, either.
invalid input is ub and qsort does not try catch such ub
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
