[vlc-devel] [PATCH] vlc_strftime: avoid infinite loop on windows when format string is invalid

Romain Vimont rom at rom1v.com
Thu Jan 25 22:25:12 CET 2018



Le 25 janvier 2018 19:10:26 GMT+01:00, "Rémi Denis-Courmont" <remi at remlab.net> a écrit :
>Le torstaina 25. tammikuuta 2018, 19.35.55 EET Romain Vimont a écrit :
>> On Thu, Jan 25, 2018 at 06:43:42PM +0200, Rémi Denis-Courmont wrote:
>> > We can intrinsically not handle UB and therefore we do not handle
>UB, at
>> > least not post-facto. Where practical and useful, you can add
>post-facto
>> > assertions to aid in debugging - nothing else.
>> 
>> I agree with you, in theory we can just ignore UB.
>
>I did not state that we CAN ignore UB. I stated that we MUST ignore UB.
>By definition.
>
>After UB, the only thing that vaguely makes sense is aborting,
>typically done 
>with assert().

You're right. Calling assert() would make more sense if the format is invalid.

>> But here, the current vlc_strftime() implementation may transform an
>> error (with errno set) to an infinite loop, which is not very
>> debug-friendly.
>
>UB is not debug-friendly in the first place and clobbering errno is not
>
>friendly to debug and tracing either.
>
>> To always avoid an infinite loop, one possibility could be to double
>the
>> buffer size on each iteration (instead of increasing linearly), and
>> limit to, say, 10 iterations, failing with an error otherwise.
>
>We already handle the empty string case.

I would still avoid the infinite loop since there is no way to distinguish a valid empty string result from an error when the return is 0 (an empty string may result of a non-empty format).

>
>-- 
>雷米‧德尼-库尔蒙
>https://www.remlab.net/
>
>_______________________________________________
>vlc-devel mailing list
>To unsubscribe or modify your subscription options:
>https://mailman.videolan.org/listinfo/vlc-devel


More information about the vlc-devel mailing list