diff options
| author | Eliseo Martínez <eliseomarmol@gmail.com> | 2015-02-14 00:03:19 +0100 |
|---|---|---|
| committer | Eliseo Martínez <eliseomarmol@gmail.com> | 2015-02-20 17:34:07 +0100 |
| commit | 24fa25a57f9fd2062554f4e2283c367d71ac4050 (patch) | |
| tree | f0a0f633af3c3bbad2f164a7fbd4bab0b4ff1452 /test/functional/shell/viml_system_spec.lua | |
| parent | 33cecbbf1667cd34324e6c6e7049ede1dbff426e (diff) | |
| download | rneovim-24fa25a57f9fd2062554f4e2283c367d71ac4050.tar.gz rneovim-24fa25a57f9fd2062554f4e2283c367d71ac4050.tar.bz2 rneovim-24fa25a57f9fd2062554f4e2283c367d71ac4050.zip | |
coverity/13683: Out-of-bounds access: RI.
Problem : Out-of-bounds access @ 3730.
Diagnostic : Real issue.
Rationale : str is constructed step by step, str_l growing each time.
str_m is the maximum length of str. So, at every step,
avail is computed to see if the piece to be added fits in.
If not, piece is truncated to a max of `avail`, so that str
stays in bounds. Such blocks where pieces are added are of
the form `if (str_l < str_m)`. It then follows that once
one of those pieces exhausts available space on str, no
other such block should be entered. Formally:
str_l < strl_m && avail = str_m - str_l && x >= avail
-->
str_l + x >= str_m
Now, suggested error path successively enters blocks where
str is exhausted. We're not sure if coverity just fails to
follow above implications, or, on the contrary, it's aware
of them, but it's signaling the more complex possibility of
implications not being fulfilled because of possible
arithmetic overflows. We opt then to assume this last case,
as the possibility is in fact there.
Resolution : Refactor code so that tracked condition doesn't depend on
arithmetic implications. Check for overflow.
Diffstat (limited to 'test/functional/shell/viml_system_spec.lua')
0 files changed, 0 insertions, 0 deletions