On 04/02/2021 16:35, Petr Mladek wrote:
On Wed 2021-02-03 21:45:55, Andy Shevchenko wrote:
On Wed, Feb 03, 2021 at 04:50:07PM +0000, Richard Fitzgerald wrote:
The existing code attempted to handle numbers by doing a strto[u]l(),
ignoring the field width, and then repeatedly dividing to extract the
field out of the full converted value. If the string contains a run of
valid digits longer than will fit in a long or long long, this would
overflow and no amount of dividing can recover the correct value.
...
+ for (; max_chars > 0; max_chars--) {
Less fragile is to write
while (max_chars--)
Except that the original was more obvious at least for me.
I always prefer more readable code when the compiler might do
the optimization easily. But this is my personal taste.
I am fine with both variants.
This allows max_char to be an unsigned type.
Moreover...
+ return _parse_integer_limit(s, base, p, INT_MAX);
You have inconsistency with INT_MAX vs, size_t above.
Ah, this was on my request. INT_MAX is already used on many other
locations in vsnprintf() for this purpose.
I originally had UINT_MAX and changed on Petr's request to be
consistent with other code. (Sorry Andy - my mistake not including
you on the earlier review versions).
But 0 < INT_MAX < UINT_MAX, so ok to pass to an unsigned. And as Petr
said on his original review, INT_MAX is "big enough".
I don't mind either way.
An alternative is to fix all the other locations. We would need to
check if it is really safe. Well, I do not want to force Richard
to fix this historical mess. He already put a lot lot of effort
into fixing this long term issue.
...
- unsigned long long result;
+ const char *cp;
+ unsigned long long result = 0ULL;
unsigned int rv;
- cp = _parse_integer_fixup_radix(cp, &base);
- rv = _parse_integer(cp, base, &result);
+ if (max_chars == 0) {
+ cp = startp;
+ goto out;
+ }
It's redundant if I'm not mistaken.
Also this is more obvious and less error prone from my POV.
But I agree that it is redundant. I am not sure if this
function is used in some fast paths.
Again I am fine with both variants.
+ cp = _parse_integer_fixup_radix(startp, &base);
+ if ((cp - startp) >= max_chars) {
+ cp = startp + max_chars;
+ goto out;
+ }
This will be exactly the same, no?
Best Regards,
Petr
