Overflows in size_t add-ons

Question

Overflows in size_t add-ons

I like my code to be free for VS.NET and GCC, and I like to prepare 64-bit code.

Today I wrote a small module that deals with memory buffers and provides access to data through a file-style interface (for example, you can read bytes, write bytes, search, etc.).

I used size_t as the data type for the current position and reading size, since this is apparently the most natural choice. I review warnings, and it should work in 64-bit mode.

Just in case: My structure looks like this:

typedef struct { unsigned char * m_Data; size_t m_CurrentReadPosition; size_t m_DataSize; } MyMemoryFile;

The signature size_t apparently not defined in practice. Google code-search has proven this.

Now I have a dilemma: I want to check on add-ons with size_t for overflow, because I have to deal with user-provided data, and third-party libraries will use my code. However, to check for overflow, I must know the sign. This significantly affects the implementation.

So - how should I write such code in the platform and regardless of the compiler?

Is it possible to verify the signature of size_t at runtime or compile time? That would solve my problem. Or maybe size_t not a better idea in the first place.

Any ideas?

EDIT : I am looking for a solution for the C-language!

+6

c integer-overflow size-t

Nils pipenbrinck Oct 15 '08 at 20:48

source share

6 answers

size_t must be unsigned.

It is usually defined as an unsigned long.

I have never seen it defined otherwise. ssize_t is its signed counterpart.

EDIT: GCC defines it as signed in some cases. compilation in ASNI C or std-99 mode should make it unsigned.

+4

Nicholas mancuso Oct 15 '08 at 20:51

source share

size_t is an unsigned integral type in accordance with C ++ C standards. Any implementation that has a size_t signature is severely inappropriate and probably has other portability issues. It is guaranteed to wrap up when overflowing, which means that you can write tests like if (a + b < a) to find the overflow.

size_t is a great type for everything related to memory. You are doing it right.

+4

David thornley Oct 15 '08 at 21:09

source share

For C, use IntSafe . Also released by Microsoft (not to be confused with the C ++ - SafeInt library). IntSafe is a collection of C language function calls that can safely do math and transform. updated URL for intsafe functions

+2

1800 INFORMATION Oct 15 '08 at 9:07

source share

Use safeint . This is a class developed by Michael Howard and released as open source by Microsoft. It is designed to work with integers, where overflow is defined as risk. All overflows are converted to exceptions and processed. The class is intended for convenient use.

For example:

 char CouldBlowUp(char a, char b, char c) { SafeInt<char> sa(a), sb(b), sc(c); try { return (sa * sb + sc).Value(); } catch(SafeIntException err) { ComplainLoudly(err.m_code); } return 0; }

In addition, safeint is often used internally by Microsoft in products such as Office.

Ref: link text

0

1800 INFORMATION Oct 15 '08 at 20:54

source share

I'm not sure if I understood the question correctly, but maybe you can do something like:

 temp = value_to_be_added_to; value_to_be_added_to += value_to_add; if (temp > value_to_be_added_to) { overflow... }

Since it will return to lower values, you can easily check if it has overflowed.

0

Francisco soto Oct 15 '08 at 20:58

source share

Michael burr · Accepted Answer · 2008-10-15T21:31:52+0000

Regarding whether size _t is signed or not, and GCC (from the old GCC manual - I'm not sure if it's still there):

There is a potential problem with the size_t type and the version of GCC previously released 2.4. ANSI C requires size_t always be an unsigned type. For compatibility with existing systems' header files, GCC defines size_t in stddef.h to be of any type the sys/types.h defines it to be. Most Unix systems that define size_t in sys/types.h define it to be a signed type Some code in the library depends on size_t , which is an unsigned type and will not work correctly if it is signed.
The GNU C library code that expects size_t will be unsigned. defining size_t as a signed type is incorrect. We plan this in version 2.4, GCC will always define size_t as an unsigned type, and a "fixincludes" script will massage sys/types.h systems so that there is no conflict with this.
In the meantime, we get around this by telling GCC to explicitly use the unsigned type for size_t when compiling the GNU C library. "Configure" will automatically detect what type of GCC it uses for size_t to override it if necessary.

If you want the signed version of size_t use ptrdiff_t or on some systems, there is a typedef for ssize_t .

Overflows in size_t add-ons

More articles: