fix overflow checks in SmallVector:

"The code was doing "if (End+NumInputs > Capacity) ...". If End is
close to 0xFFFFFFFF and NumInputs is large, it'll overflow, the
condition will come out false, and the vector won't grow to
accommodate the new elements, and the program will crash in memmove."

Patch by Jeffrey Yasskin!



git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@68277 91177308-0d34-0410-b5e6-96231b3b80d8

1 files changed, 4 insertions, 4 deletions

diff --git a/include/llvm/ADT/SmallVector.h b/include/llvm/ADT/SmallVector.h
index 445f991900..d5fef4828e 100644
--- a/include/llvm/ADT/SmallVector.h
+++ b/include/llvm/ADT/SmallVector.h
@@ -210,7 +210,7 @@ public:
   void append(in_iter in_start, in_iter in_end) {
     size_type NumInputs = std::distance(in_start, in_end);
     // Grow allocated space if needed.
-    if (End+NumInputs > Capacity)
+    if (NumInputs > size_type(Capacity-End))
       grow(size()+NumInputs);
 
     // Copy the new elements over.
@@ -222,7 +222,7 @@ public:
   ///
   void append(size_type NumInputs, const T &Elt) {
     // Grow allocated space if needed.
-    if (End+NumInputs > Capacity)
+    if (NumInputs > size_type(Capacity-End))
       grow(size()+NumInputs);
 
     // Copy the new elements over.
@@ -456,9 +456,9 @@ void SmallVectorImpl<T>::swap(SmallVectorImpl<T> &RHS) {
     std::swap(Capacity, RHS.Capacity);
     return;
   }
-  if (Begin+RHS.size() > Capacity)
+  if (RHS.size() > size_type(Capacity-Begin))
     grow(RHS.size());
-  if (RHS.begin()+size() > RHS.Capacity)
+  if (size() > size_type(RHS.Capacity-RHS.begin()))
     RHS.grow(size());
 
   // Swap the shared elements.