Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2414473003:
Handle undefined shifts in CPDF_PSEngine. (Closed)
DescriptionHandle undefined shifts in CPDF_PSEngine.
BUG=chromium:641551
Patch Set 1 #
Total comments: 1
Patch Set 2 : avoid more undefined behavior #Patch Set 3 : self nit #
Total comments: 2
Messages
Total messages: 16 (9 generated)
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
thestig@chromium.org changed reviewers: + tsepez@chromium.org
https://codereview.chromium.org/2414473003/diff/1/core/fpdfapi/page/fpdf_page... File core/fpdfapi/page/fpdf_page_func.cpp (right): https://codereview.chromium.org/2414473003/diff/1/core/fpdfapi/page/fpdf_page... core/fpdfapi/page/fpdf_page_func.cpp:346: if (shift < -31 || shift > 31) http://en.cppreference.com/w/cpp/language/operator_arithmetic Plucking out the C++11 sections, For signed and positive a, the value of a << b is a * 2b if it is representable the return type, otherwise the behavior is undefined. For negative a, the behavior of a << b is undefined. So there are still cases where this might be flagged. It's pretty much impossible to check this properly :( ... The only way to do this, it would seem, is to use int64_t (which is how the safe_int packages handles this?)
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
How's patch set 3?
let me see how I break it down
if (shift < -31) fail;
else if (shift < 0) i >> -shift is legal
else if (shift < 32) {
if (i < 0) fail;
else {
((int64_t)i) << shift is legal.
if result fits in 32, fine else fail;
}
}
else fail
https://codereview.chromium.org/2414473003/diff/40001/core/fpdfapi/page/fpdf_...
File core/fpdfapi/page/fpdf_page_func.cpp (right):
https://codereview.chromium.org/2414473003/diff/40001/core/fpdfapi/page/fpdf_...
core/fpdfapi/page/fpdf_page_func.cpp:354: uint64_t unsigned_i = i;
think we want to do it as a signed64?
https://codereview.chromium.org/2414473003/diff/40001/core/fpdfapi/page/fpdf_...
core/fpdfapi/page/fpdf_page_func.cpp:358: unsigned_i >>= shift;
need a -shift here?
On 2016/10/20 20:55:30, Tom Sepez wrote:
> let me see how I break it down
>
> if (shift < -31) fail;
> else if (shift < 0) i >> -shift is legal
> else if (shift < 32) {
> if (i < 0) fail;
> else {
> ((int64_t)i) << shift is legal.
> if result fits in 32, fine else fail;
> }
> }
> else fail
>
>
https://codereview.chromium.org/2414473003/diff/40001/core/fpdfapi/page/fpdf_...
> File core/fpdfapi/page/fpdf_page_func.cpp (right):
>
>
https://codereview.chromium.org/2414473003/diff/40001/core/fpdfapi/page/fpdf_...
> core/fpdfapi/page/fpdf_page_func.cpp:354: uint64_t unsigned_i = i;
> think we want to do it as a signed64?
>
>
https://codereview.chromium.org/2414473003/diff/40001/core/fpdfapi/page/fpdf_...
> core/fpdfapi/page/fpdf_page_func.cpp:358: unsigned_i >>= shift;
> need a -shift here?
I think what we need to do is to implement safe << and >> for the integral types
in our safe math package.
Justin and I will take a stab at this, since no-one is ever going to get this
right on their own.
On 2016/10/20 21:01:57, Tom Sepez wrote: > I think what we need to do is to implement safe << and >> for the integral types > in our safe math package. > Justin and I will take a stab at this, since no-one is ever going to get this > right on their own. Sounds good. I'll just wait for that then.
On 2016/10/20 21:07:39, Lei Zhang (OOO) wrote: > On 2016/10/20 21:01:57, Tom Sepez wrote: > > I think what we need to do is to implement safe << and >> for the integral > types > > in our safe math package. > > Justin and I will take a stab at this, since no-one is ever going to get this > > right on their own. > > Sounds good. I'll just wait for that then. Closing without landing, separate patch according to the discussion has landed. |
