bin: detect overflows in conversion functions

* bin/common_conv.cc (to_int, to_unsigned): Here.
* bin/common_range.cc (parse_range): And there.
* tests/core/ltlgrind.test, tests/core/genaut.test,
tests/core/randaut.test: Add test cases.

bin/common_conv.cc

@@ -1,5 +1,5 @@
 // -*- coding: utf-8 -*-
-// Copyright (C) 2015, 2018 Laboratoire de Recherche et Développement
+// Copyright (C) 2015, 2018, 2023 Laboratoire de Recherche et Développement
 // de l'Epita (LRDE).
 //
 // This file is part of Spot, a model checking library.
@@ -25,10 +25,14 @@ int
 to_int(const char* s, const char* where)
 {
   char* endptr;
-  int res = strtol(s, &endptr, 10);
+  long int lres = strtol(s, &endptr, 10);
   if (*endptr)
     error(2, 0, "failed to parse '%s' as an integer (in argument of %s).",
           s, where);
+  int res = lres;
+  if (res != lres)
+    error(2, 0, "value '%s' is too large for an int (in argument of %s).",
+          s, where);
   return res;
 }
 
@@ -45,11 +49,16 @@ unsigned
 to_unsigned (const char *s, const char* where)
 {
   char* endptr;
-  unsigned res = strtoul(s, &endptr, 10);
+  unsigned long lres = strtoul(s, &endptr, 10);
   if (*endptr)
     error(2, 0,
           "failed to parse '%s' as an unsigned integer (in argument of %s).",
           s, where);
+  unsigned res = lres;
+  if (res != lres)
+    error(2, 0,
+          "value '%s' is too large for a unsigned int (in argument of %s).",
+          s, where);
   return res;
 }
 

bin/common_range.cc

@@ -1,5 +1,5 @@
 // -*- coding: utf-8 -*-
-// Copyright (C) 2012, 2014, 2016 Laboratoire de Recherche et
+// Copyright (C) 2012, 2014, 2016, 2023 Laboratoire de Recherche et
 // Développement de l'Epita (LRDE).
 //
 // This file is part of Spot, a model checking library.
@@ -36,13 +36,16 @@ parse_range(const char* str, int missing_left, int missing_right)
 {
   range res;
   char* end;
-  res.min = strtol(str, &end, 10);
+  long lres = strtol(str, &end, 10);
+  res.min = lres;
+  if (res.min != lres)
+    error(2, 0, "start of range '%s' is too large for an int.", str);
   if (end == str)
     {
       // No leading number.  It's OK as long as the string is not
       // empty.
       if (!*end)
-        error(1, 0, "invalid empty range");
+        error(2, 0, "invalid empty range");
       res.min = missing_left;
     }
   if (!*end)
@@ -66,19 +69,22 @@ parse_range(const char* str, int missing_left, int missing_right)
         {
           // Parse the next integer.
           char* end2;
-          res.max = strtol(end, &end2, 10);
+          lres = strtol(end, &end2, 10);
+          res.max = lres;
+          if (res.max != lres)
+            error(2, 0, "end of range '%s' is too large for an int.", str);
           if (str == end2)
-            error(1, 0, "invalid range '%s' "
+            error(2, 0, "invalid range '%s' "
                   "(should start with digits, dots, or colon)", str);
           if (end == end2)
-            error(1, 0, "invalid range '%s' (missing end?)", str);
+            error(2, 0, "invalid range '%s' (missing end?)", str);
           if (*end2)
-            error(1, 0, "invalid range '%s' (trailing garbage?)", str);
+            error(2, 0, "invalid range '%s' (trailing garbage?)", str);
         }
     }
 
   if (res.min < 0 || res.max < 0)
-    error(1, 0, "invalid range '%s': values must be positive", str);
+    error(2, 0, "invalid range '%s': values must be positive", str);
 
   return res;
 }

tests/core/genaut.test

@@ -1,7 +1,7 @@
 #!/bin/sh
 # -*- coding: utf-8 -*-
-# Copyright (C) 2017, 2018, 2019, 2020 Laboratoire de Recherche et Développement
-# de l'Epita (LRDE).
+# Copyright (C) 2017-2020, 2023 Laboratoire de Recherche et
+# Développement de l'Epita (LRDE).
 #
 # This file is part of Spot, a model checking library.
 #
@@ -60,7 +60,10 @@ genaut --l-nba='1..3?' 2>err && exit 1
 grep 'invalid range.*trailing garbage' err
 genaut --l-nba='1..' 2>err && exit 1
 grep 'invalid range.*missing end' err
-
+genaut --l-nba='9999999999999999999999999..' 2>err && exit 1
+grep 'start.*too large' err
+genaut --l-nba='1..9999999999999999999999999' 2>err && exit 1
+grep 'end.*too large' err
 
 # Tests for autfilt -N/--nth
 genaut --ks-nca=1..5 | autfilt -N 2..4 > range1.hoa

tests/core/ltlgrind.test

@@ -1,6 +1,6 @@
 #! /bin/sh
 # -*- coding: utf-8 -*-
-# Copyright (C) 2014, 2015, 2019 Laboratoire de Recherche et Développement
+# Copyright (C) 2014, 2015, 2019, 2023 Laboratoire de Recherche et Développement
 # de l'Epita (LRDE).
 #
 # This file is part of Spot, a model checking library.
@@ -198,3 +198,6 @@ checkopt_noparse -F input/2 --format '%<,%f,%>,%F,%L' <<EOF
 1,0,3,input,1
 1,1,3,input,1
 EOF
+
+ltlgrind -f 'a U b' -m 999999999999999999999999999 2>err && exit 1
+grep 'too large' err

tests/core/randaut.test

@@ -1,7 +1,7 @@
 #!/bin/sh
 # -*- coding: utf-8 -*-
-# Copyright (C) 2014-2018, 2020, 2022 Laboratoire de Recherche et
-# Développement de l'Epita (LRDE).
+# Copyright (C) 2014-2018, 2020, 2022, 2023 Laboratoire de Recherche
+# et Développement de l'Epita (LRDE).
 #
 # This file is part of Spot, a model checking library.
 #
@@ -29,6 +29,9 @@ grep "randaut: 3.1.*is not between 0 and 1 (in argument of -e" err
 randaut -n1a 3 2>err && exit 1
 grep "randaut: failed to parse '1a' as an integer.* -n/--automata)" err
 
+randaut -n99999999999999999999999999 3 2>err && exit 1
+grep "randaut:.*too large" err
+
 randaut --spin -Q4 a b | ../ikwiad -H -XN - >out
 grep 'States: 4' out
 grep 'AP: 2' out