Boost C++ Libraries: Ticket #6827: Integer overflow in read function https://svn.boost.org/trac10/ticket/6827 <p> The problem with this chunk of code (from boost/iostreams/detail/restrict_impl.hpp read function): </p> <pre class="wiki">std::streamsize amt = end_ != -1 ? (std::min) (n, static_cast&lt;std::streamsize&gt;(end_ - pos_)) : n; </pre><p> is that it's prone to integer overflow. So if you have let's say end_ that is <em>&gt; INT_MAX</em> <em>std::min</em> will return 'wrong' (unwanted) value, e.g.: </p> <pre class="wiki">std::streamsize a = 0xb14c1000; std::streamsize b = 1; std::streamsize result = (std::min)(a, b); </pre><p> This will return <em>result = 0xb14c1000</em> which if applied to our case means we will read <em>0xb14c1000</em> instead of 1 bytes. </p> <p> This can be fixed like this: </p> <pre class="wiki">std::streamsize amt(n); if (end_ != -1 &amp;&amp; end_ &lt;= std::numeric_limits&lt;std::streamsize&gt;::max()) { amt = (std::min) (n, static_cast&lt;std::streamsize&gt;(end_ - pos_)); } </pre> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/6827 Trac 1.4.3 msuvajac@… Tue, 24 Apr 2012 17:42:34 GMT attachment set https://svn.boost.org/trac10/ticket/6827 https://svn.boost.org/trac10/ticket/6827 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">restrict_impl.patch</span> </li> </ul> <p> Patch for the bug. </p> Ticket msuvajac@… Fri, 27 Apr 2012 17:26:03 GMT attachment set https://svn.boost.org/trac10/ticket/6827 https://svn.boost.org/trac10/ticket/6827 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">restrict_impl2.patch</span> </li> </ul> <p> fixed patch </p> Ticket msuvajac@… Fri, 27 Apr 2012 17:27:48 GMT <link>https://svn.boost.org/trac10/ticket/6827#comment:1 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6827#comment:1</guid> <description> <p> My previous patch had a bug, my colleague noticed that, so I've uploaded a fix. </p> </description> <category>Ticket</category> </item> </channel> </rss>