Coverity doing scans of Wine codebase!
James Hawkins
truiken at gmail.com
Sat Apr 8 08:29:56 CDT 2006
On 4/7/06, Colin Wright <cdwine at tesco.net> wrote:
>
> #include <stdio.h>
> int main(void)
> {
> short int i;
> unsigned short int j;
> j = 65534;
> i = j + 1;
> printf("The result is %d\n", i);
> return 0;
> }
>
Thanks for the info, but I know C base types limits. If you'll take a
look into the code, you'll realize they don't make a difference:
I'll go with the hypothetical situation brought up by Tom, that
strlenW somehow manages to return a value of -3789246 (it would have
to be a really long string to overflow the limits of int). We're in
WideCharToMultiByte and we just set srclen to strlenW(src) + 1 which
turned out to be -3789245. Of the possible conversion routines we
use, we'll start with wine_cpsymbol_wcstombs:
len = dstlen > srclen ? srclen : dstlen;
for( i = 0; i < len; i++)
{...}
If srclen is negative and dstlen is positive, we use dstlen instead.
I know someone out there will say, "Well what if dstlen is also
negative?" In that case someone is going to a lot of trouble to break
this function, but it still won't work because the loop runs from 0 to
less than len, and if len is negative, this won't run. The other
conversion routines are similar, so we won't go through those. Now at
the end of the conversion routines, they return len. I hear someone
saying, "Aha! So we are returning a negative length." Bottom of
WideCharToMultiByte:
if (ret < 0)
{
...
ret = 0;
}
--
James Hawkins
More information about the wine-devel
mailing list