Skip to content

Strengthen undefined behavior prevention in checkSignedBitfieldOverflow #2418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 5, 2025
Merged

Strengthen undefined behavior prevention in checkSignedBitfieldOverflow #2418

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 4 additions & 6 deletions src/bitops.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -491,12 +491,10 @@ int checkSignedBitfieldOverflow(int64_t value, int64_t incr, uint64_t bits, int
int64_t max = (bits == 64) ? INT64_MAX : (((int64_t)1 << (bits - 1)) - 1);
int64_t min = (-max) - 1;

/* Note that maxincr and minincr could overflow, but we use the values
* only after checking 'value' range, so when we use it no overflow
* happens. 'uint64_t' cast is there just to prevent undefined behavior on
* overflow */
int64_t maxincr = (uint64_t)max - value;
int64_t minincr = min - value;
/* max/min and value are signed integers but to avoid undefined behavior
* we temporarily cast them to unsigned integers before subtracting. */
int64_t maxincr = (int64_t)((uint64_t)max - (uint64_t)value);
int64_t minincr = (int64_t)((uint64_t)min - (uint64_t)value);
Comment on lines +496 to +497
Copy link
Contributor

@zuiderkwast zuiderkwast Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cast to signed can be implicit, for brevity?

Suggested change
int64_t maxincr = (int64_t)((uint64_t)max - (uint64_t)value);
int64_t minincr = (int64_t)((uint64_t)min - (uint64_t)value);
int64_t maxincr = (uint64_t)max - (uint64_t)value;
int64_t minincr = (uint64_t)min - (uint64_t)value;

Copy link
Contributor Author

@Fusl Fusl Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made this explicit since clang-tidy otherwise complains about it:
image

Copy link
Contributor

@zuiderkwast zuiderkwast Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, is implicit cast different to explicit? I didn't know...

Let's keep it explicit then.

Out of curiosity, do you know where this stuff is mentioned in the C standards?

Copy link
Contributor

@zuiderkwast zuiderkwast Aug 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found it: https://en.cppreference.com/w/c/language/conversion.html#Integer_conversions

Copy link
Contributor Author

@Fusl Fusl Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That explicit cast specifically tells clang-tidy "i know what im doing, please stop complaining", there's no other side effect and the explicit and implicit format both get compiled down to the same byte code.


if (value > max || (bits != 64 && incr > maxincr) || (value >= 0 && incr > 0 && incr > maxincr)) {
if (limit) {
Expand Down
Loading