Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=509531 --- Comment #8 from Richard W.M. Jones <rjones@xxxxxxxxxx> 2009-07-03 10:08:41 EDT --- (In reply to comment #5) > (In reply to comment #4) > > Created an attachment (id=350433) --> (https://bugzilla.redhat.com/attachment.cgi?id=350433) [details] [details] > > camlimages-oversized-png-check.patch > > One note from a very quick look... in general, test like: > > (x) * (y) < (x) || (x) * (y) < (y) > > is not sufficient to catch all possible integer overflows in multiplication. > Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit > world. This can still result in small buffer that may be overflown later. > > The test is usually written as: > > y != 0 && x > (TYPE)_MAX / y > > (first part is needed if y can be 0, not needed in cases where y is > sizeof(sometype)). Yup, someone just found a counterexample on #ocaml. I'll change the patch and rebuild in a moment. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-ocaml-list mailing list Fedora-ocaml-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-ocaml-list
