On Tue, 21 Nov 2006, Steven M. Christey wrote: > I think of an integer overflow as being: "some computation (addition, > multiplication) would produce an integer value that is too large to be > stored in the actual memory location, so the integer wraps to some > other value." (let's leave integer "underflow" out of this for the > moment). The passing of a signed variable called "len" to an unsigned parameter of copyout() is a (trivial) computation producing a value that does not fit into the target type. Negative values "wrap around" and monotonicity (length <= buffer size) is not preserved. IMHO these two classes of problems grow from one common root. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
