id	summary	reporter	owner	description	type	status	milestone	component	version	severity	resolution	keywords	cc
6827	Integer overflow in read function	msuvajac@…	Jonathan Turkanis	"The problem with this chunk of code (from boost/iostreams/detail/restrict_impl.hpp read function):
{{{
std::streamsize amt =
    end_ != -1 ?
            (std::min) (n, static_cast<std::streamsize>(end_ - pos_)) :
            n;
}}}
is that it's prone to integer overflow. So if you have let's say end_ that is ''> INT_MAX'' ''std::min'' will return 'wrong' (unwanted) value, e.g.:

{{{
std::streamsize a = 0xb14c1000;
std::streamsize b = 1;

std::streamsize result = (std::min)(a, b);
}}}

This will return ''result = 0xb14c1000'' which if applied to our case means we will read ''0xb14c1000'' instead of 1 bytes.

This can be fixed like this:

{{{
std::streamsize amt(n);

if (end_ != -1 && end_ <= std::numeric_limits<std::streamsize>::max())
{
    amt = (std::min) (n, static_cast<std::streamsize>(end_ - pos_));
}
}}}
"	Bugs	new	To Be Determined	iostreams	Boost Development Trunk	Showstopper		security, overflow, restrict, restriction