Subject: [Boost-bugs] [Boost C++ Libraries] #6827: Integer overflow in read function
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2012-04-24 17:41:58
#6827: Integer overflow in read function
-------------------------------------------------------+--------------------
Reporter: msuvajac@… | Owner: turkanis
Type: Bugs | Status: new
Milestone: To Be Determined | Component: iostreams
Version: Boost Development Trunk | Severity: Showstopper
Keywords: security, overflow, restrict, restriction |
-------------------------------------------------------+--------------------
The problem with this chunk of code (from
boost/iostreams/detail/restrict_impl.hpp read function):
{{{
std::streamsize amt =
end_ != -1 ?
(std::min) (n, static_cast<std::streamsize>(end_ - pos_)) :
n;
}}}
is that it's prone to integer overflow. So if you have let's say end_ that
is ''> INT_MAX'' ''std::min'' will return 'wrong' (unwanted) value, e.g.:
{{{
std::streamsize a = 0xb14c1000;
std::streamsize b = 1;
std::streamsize result = (std::min)(a, b);
}}}
This will return ''result = 0xb14c1000'' which if applied to our case
means we will read ''0xb14c1000'' instead of 1 bytes.
This can be fixed like this:
{{{
std::streamsize amt(n);
if (end_ != -1 && end_ <= std::numeric_limits<std::streamsize>::max())
{
amt = (std::min) (n, static_cast<std::streamsize>(end_ - pos_));
}
}}}
-- Ticket URL: <https://svn.boost.org/trac/boost/ticket/6827> Boost C++ Libraries <http://www.boost.org/> Boost provides free peer-reviewed portable C++ source libraries.
This archive was generated by hypermail 2.1.7 : 2017-02-16 18:50:09 UTC