fix overflow checks in SmallVector:

"The code was doing "if (End+NumInputs > Capacity) ...". If End is
close to 0xFFFFFFFF and NumInputs is large, it'll overflow, the
condition will come out false, and the vector won't grow to
accommodate the new elements, and the program will crash in memmove."

Patch by Jeffrey Yasskin!

llvm-svn: 68277

1 files changed, 4 insertions, 4 deletions

diff --git a/llvm/include/llvm/ADT/SmallVector.h b/llvm/include/llvm/ADT/SmallVector.h
index 445f9919008..d5fef4828e6 100644
--- a/llvm/include/llvm/ADT/SmallVector.h
+++ b/llvm/include/llvm/ADT/SmallVector.h
@@ -210,7 +210,7 @@ public:
   void append(in_iter in_start, in_iter in_end) {
     size_type NumInputs = std::distance(in_start, in_end);
     // Grow allocated space if needed.
-    if (End+NumInputs > Capacity)
+    if (NumInputs > size_type(Capacity-End))
       grow(size()+NumInputs);
 
     // Copy the new elements over.
@@ -222,7 +222,7 @@ public:
   ///
   void append(size_type NumInputs, const T &Elt) {
     // Grow allocated space if needed.
-    if (End+NumInputs > Capacity)
+    if (NumInputs > size_type(Capacity-End))
       grow(size()+NumInputs);
 
     // Copy the new elements over.
@@ -456,9 +456,9 @@ void SmallVectorImpl<T>::swap(SmallVectorImpl<T> &RHS) {
     std::swap(Capacity, RHS.Capacity);
     return;
   }
-  if (Begin+RHS.size() > Capacity)
+  if (RHS.size() > size_type(Capacity-Begin))
     grow(RHS.size());
-  if (RHS.begin()+size() > RHS.Capacity)
+  if (size() > size_type(RHS.Capacity-RHS.begin()))
     RHS.grow(size());
 
   // Swap the shared elements.