From ec5ef8924136c3e156080e214d0490318b373d08 Mon Sep 17 00:00:00 2001 From: Chris Lattner Date: Thu, 2 Apr 2009 03:06:26 +0000 Subject: fix overflow checks in SmallVector: "The code was doing "if (End+NumInputs > Capacity) ...". If End is close to 0xFFFFFFFF and NumInputs is large, it'll overflow, the condition will come out false, and the vector won't grow to accommodate the new elements, and the program will crash in memmove." Patch by Jeffrey Yasskin! git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@68277 91177308-0d34-0410-b5e6-96231b3b80d8 --- include/llvm/ADT/SmallVector.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'include/llvm/ADT') diff --git a/include/llvm/ADT/SmallVector.h b/include/llvm/ADT/SmallVector.h index 445f991..d5fef48 100644 --- a/include/llvm/ADT/SmallVector.h +++ b/include/llvm/ADT/SmallVector.h @@ -210,7 +210,7 @@ public: void append(in_iter in_start, in_iter in_end) { size_type NumInputs = std::distance(in_start, in_end); // Grow allocated space if needed. - if (End+NumInputs > Capacity) + if (NumInputs > size_type(Capacity-End)) grow(size()+NumInputs); // Copy the new elements over. @@ -222,7 +222,7 @@ public: /// void append(size_type NumInputs, const T &Elt) { // Grow allocated space if needed. - if (End+NumInputs > Capacity) + if (NumInputs > size_type(Capacity-End)) grow(size()+NumInputs); // Copy the new elements over. @@ -456,9 +456,9 @@ void SmallVectorImpl::swap(SmallVectorImpl &RHS) { std::swap(Capacity, RHS.Capacity); return; } - if (Begin+RHS.size() > Capacity) + if (RHS.size() > size_type(Capacity-Begin)) grow(RHS.size()); - if (RHS.begin()+size() > RHS.Capacity) + if (size() > size_type(RHS.Capacity-RHS.begin())) RHS.grow(size()); // Swap the shared elements. -- cgit v1.1