GNOME Bugzilla – Bug 727988
GMemoryOutputStream hangs when writing more than 1GiB
Last modified: 2014-10-30 20:17:50 UTC
g_nearest_pow() uses an int which overflows to 0 when trying to double 1024^3 and causes it to hang in an endless loop. This comment also seems to be incorrect. /* Check for overflow again. We have only checked if pos + count > G_MAXSIZE, but it only catches the case of writing more than 4GiB total on a 32-bit system. There's still the problem of g_nearest_pow overflowing above 0x7fffffff, so we're effectively limited to 2GiB. */ There doesn't appear to be any check for pos+count > G_MAXSIZE. This issue can be reproduced by writing a large file with the webdav gvfs backend. (Making it not buffer the entire contents in memory is another issue!)
Created attachment 289612 [details] [review] gio: Prevent hang writing to a large GMemoryOutputStream Fix a hang due to overflow by using unsigned numbers and explicitly checking if the number overflows to zero. This also fixes the previous logic which assigned an int which may be negative to an unsigned number resulting in sign extension and strange results. Use gsize rather than int to allow for large streams on 64 bit machines.
Created attachment 289613 [details] [review] gio: Prevent hang writing to a large GMemoryBuffer Fix a hang due to overflow by using unsigned numbers and explicitly checking if the number overflows to zero. This also fixes the previous logic which assigned an int which may be negative to an unsigned number resulting in sign extension and strange results. Use gsize rather than int to allow for large buffers on 64 bit machines.
Review of attachment 289613 [details] [review]: Looks good, thanks.
Review of attachment 289612 [details] [review]: Also good.
Thanks for the reviews! Pushed to master as 226c292b6ab95014648e9fc0a082bb6c26eeccc8.