Closed Bug 283077 Opened 20 years ago Closed 20 years ago

Arithmetic overflow warning in modules/libimg/png/pngrtran.c

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: David.R.Gardiner, Assigned: pavlov)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Running PREfast static code analysis gives the following warning: pngrtran.c(4029) : warning 297: Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit value. Cast to a 64-bit value before the shift. Bits may be lost. problem occurs in function 'MOZ_PNG_build_gamma_tab' The line in question is: max = (png_uint_32)(fin * (double)((png_uint_32)num << 8)); Not sure if the warning is legitimate or not. -dave Reproducible: Always Steps to Reproduce:
Blocks: 283681
This is invalid, as is clear from the data flow: num (type int) is set at http://lxr.mozilla.org/mozilla/source/modules/libimg/png/pngrtran.c#4002 as follows: num = (1 << (8 - shift)); where shift is constrained to [0, 7]. So num << 8 does not overflow 32-bits (it fits in 17 bits worst case). If PREFast is not modeling data flow well enough to see this, we shouldn't be filing bugs based on it without a lot more inspection. We're using Coverity's SWAT tools to better effect already. BTW, the (num << 8) expression is loop-invariant at the line fingered by PREFast so it could be hoisted manually, but perhaps our tier-1 compilers are smart enough to do that nowadays. /be
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.