|
| From: | Paul Eggert |
| Subject: | Re: Making --with-wide-int the default |
| Date: | Tue, 17 Nov 2015 10:32:39 -0800 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 |
On 11/17/2015 04:13 AM, David Kastrup wrote:
Integer overflows are a rather popular source of security vulnerabilities and/or crashes, so having them under control by default is a good idea
Yes, yes, all that's good, but that set of primitives (scm_t_uint16 scm_to_uint16 etc.), while an impressively long laundry list, doesn't solve the problem or even (to be honest) inspire much confidence that the problem is even understood. How does one convert a Guile integer to a time_t? Or to an off_t? Or to a nonnegative ptrdiff_t? None of the primitives you mention seem to address the typical problems I run into when auditing Emacs source code.
Far more useful is a small set of generic primitives that one can use to convert a Lisp integer to any system integer type, checking for overflow in the process. Emacs has that already. I suppose something like that could be built in Guile too. If so, then all we'd need to do is port the existing Emacs generic macros to run atop Guile, and no further code review should be needed.
| [Prev in Thread] | Current Thread | [Next in Thread] |