Commit 38e7177c authored by Martin Möhrmann's avatar Martin Möhrmann

cmd/compile: fix length overflow when appending elements to a slice

Instead of testing len(slice)+numNewElements > cap(slice) use
uint(len(slice)+numNewElements) > uint(cap(slice)) to test
if a slice needs to be grown in an append operation.

This prevents a possible overflow when len(slice) is near the maximum
int value and the addition of a constant number of new elements
makes it overflow and wrap around to a negative number which is
smaller than the capacity of the slice.

Appending a slice to a slice with append(s1, s2...) already used
a uint comparison to test slice capacity and therefore was not
vulnerable to the same overflow issue.

Fixes: #29190

Change-Id: I41733895838b4f80a44f827bf900ce931d8be5ca
Reviewed-on: https://go-review.googlesource.com/c/154037
Run-TryBot: Martin Möhrmann <moehrmann@google.com>
Reviewed-by: default avatarKeith Randall <khr@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
parent 84b408cd
...@@ -2416,7 +2416,7 @@ func (s *state) append(n *Node, inplace bool) *ssa.Value { ...@@ -2416,7 +2416,7 @@ func (s *state) append(n *Node, inplace bool) *ssa.Value {
// a := &s // a := &s
// ptr, len, cap := s // ptr, len, cap := s
// newlen := len + 3 // newlen := len + 3
// if newlen > cap { // if uint(newlen) > uint(cap) {
// newptr, len, newcap = growslice(ptr, len, cap, newlen) // newptr, len, newcap = growslice(ptr, len, cap, newlen)
// vardef(a) // if necessary, advise liveness we are writing a new a // vardef(a) // if necessary, advise liveness we are writing a new a
// *a.cap = newcap // write before ptr to avoid a spill // *a.cap = newcap // write before ptr to avoid a spill
...@@ -2454,7 +2454,7 @@ func (s *state) append(n *Node, inplace bool) *ssa.Value { ...@@ -2454,7 +2454,7 @@ func (s *state) append(n *Node, inplace bool) *ssa.Value {
c := s.newValue1(ssa.OpSliceCap, types.Types[TINT], slice) c := s.newValue1(ssa.OpSliceCap, types.Types[TINT], slice)
nl := s.newValue2(s.ssaOp(OADD, types.Types[TINT]), types.Types[TINT], l, s.constInt(types.Types[TINT], nargs)) nl := s.newValue2(s.ssaOp(OADD, types.Types[TINT]), types.Types[TINT], l, s.constInt(types.Types[TINT], nargs))
cmp := s.newValue2(s.ssaOp(OGT, types.Types[TINT]), types.Types[TBOOL], nl, c) cmp := s.newValue2(s.ssaOp(OGT, types.Types[TUINT]), types.Types[TBOOL], nl, c)
s.vars[&ptrVar] = p s.vars[&ptrVar] = p
if !inplace { if !inplace {
......
// run
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"strings"
)
type T struct{}
const maxInt = int(^uint(0) >> 1)
func main() {
s := make([]T, maxInt)
shouldPanic("cap out of range", func() { s = append(s, T{}) })
var oneElem = make([]T, 1)
shouldPanic("cap out of range", func() { s = append(s, oneElem...) })
}
func shouldPanic(str string, f func()) {
defer func() {
err := recover()
if err == nil {
panic("did not panic")
}
s := err.(error).Error()
if !strings.Contains(s, str) {
panic("got panic " + s + ", want " + str)
}
}()
f()
}
...@@ -530,7 +530,7 @@ func fence1(b []int, x, y int) { ...@@ -530,7 +530,7 @@ func fence1(b []int, x, y int) {
} }
if len(b) < cap(b) { if len(b) < cap(b) {
// This eliminates the growslice path. // This eliminates the growslice path.
b = append(b, 1) // ERROR "Disproved Greater64$" b = append(b, 1) // ERROR "Disproved Greater64U$"
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment