gloo

gloo copied to clipboard

There are some integer multiplications that might overflow before cast to a larger type:

Multiplication result may overflow 'int' before it is converted to 'difference_type'.

This rule finds code that converts the result of an integer multiplication to a larger type.
Since the conversion applies after the multiplication, arithmetic overflow may still occur.

Constructor std::vector takes std::size_t as size argument where in these places ints are multiplied. On 64 bit architectures this means that int multiplication could overflow while std::size_t is sufficiently large.

See CWE-190 CWE-192 CWE-197 CWE-681.

@pietern what are your thoughts?

@EnricoMi I don't work on Gloo anymore. The change looks good to me though :-)

@pietern any suggestion who would be best to poke? maybe @sofong5

cc @jiayisuse

How can we get this fairly simple fix in? This removes those annoying vulnerability alerts from Gloo?

@jiayisuse @mrshenli @pritamdamania @minsii @luciang @mingzhe09088 @meyering any suggestions who to ping for review?

I don't have approval permission. Sorry I cannot help. The PR itself looks good to me :-)

@pietern @malfet @peterbell10 any suggestion how to get hold of a committer?

Hey @EnricoMi, Sorry for keeping you waiting so long, and thank you for submitting your contributions to this repository! I've approved the changes, just need to look into how to complete the merge, I see some tests are failing

@rctl thanks for looking into this. I reckon the errors are transient, can you please rerun the CI?

@rctl the remaining failing tests still look unrelated.

@rctl who can merge this?