Mercurial > vim
comparison src/alloc.c @ 27453:c7f614c9ceb3 v8.2.4255
patch 8.2.4255: theoretical computation overflow
Commit: https://github.com/vim/vim/commit/d5cec1f1f055316c353cfa15ad8d5eb0952d50a0
Author: =?UTF-8?q?Dundar=20G=C3=B6c?= <gocdundar@gmail.com>
Date: Sat Jan 29 15:19:23 2022 +0000
patch 8.2.4255: theoretical computation overflow
Problem: Theoretical computation overflow.
Solution: Perform multiplication in a wider type. (closes https://github.com/vim/vim/issues/9657)
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Sat, 29 Jan 2022 16:30:03 +0100 |
| parents | 018c911eb9cf |
| children | f34afadbef47 |
comparison
equal
deleted
inserted
replaced
| 27452:81af1f0ff8ce | 27453:c7f614c9ceb3 |
|---|---|
| 735 // is a compromise between allocating memory that won't be used and too | 735 // is a compromise between allocating memory that won't be used and too |
| 736 // many copy operations. A factor of 1.5 seems reasonable. | 736 // many copy operations. A factor of 1.5 seems reasonable. |
| 737 if (n < gap->ga_len / 2) | 737 if (n < gap->ga_len / 2) |
| 738 n = gap->ga_len / 2; | 738 n = gap->ga_len / 2; |
| 739 | 739 |
| 740 new_len = gap->ga_itemsize * (gap->ga_len + n); | 740 new_len = (size_t)gap->ga_itemsize * (gap->ga_len + n); |
| 741 pp = vim_realloc(gap->ga_data, new_len); | 741 pp = vim_realloc(gap->ga_data, new_len); |
| 742 if (pp == NULL) | 742 if (pp == NULL) |
| 743 return FAIL; | 743 return FAIL; |
| 744 old_len = gap->ga_itemsize * gap->ga_maxlen; | 744 old_len = (size_t)gap->ga_itemsize * gap->ga_maxlen; |
| 745 vim_memset(pp + old_len, 0, new_len - old_len); | 745 vim_memset(pp + old_len, 0, new_len - old_len); |
| 746 gap->ga_maxlen = gap->ga_len + n; | 746 gap->ga_maxlen = gap->ga_len + n; |
| 747 gap->ga_data = pp; | 747 gap->ga_data = pp; |
| 748 return OK; | 748 return OK; |
| 749 } | 749 } |