The "count_" out-parameter is doubled instead of unchanged.

Static analysis says: src\zmq.cpp(489): error V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize. The value being casted: '* count_'. src\zmq.cpp(510): error V127: An overflow of the 32-bit 'nread' variable is possible inside a long cycle which utilizes a memsize-type loop counter. I've silenced the warning on line 489 and ignored the other. But also, it looks to me like there's a serious bug here: The out-parameter "count_" is never set to zero before we start incrementing it. So its final value will always be between 1 and 2 times its initial value. The fix seems obvious.

The "count_" out-parameter is doubled instead of unchanged.
Static analysis says: src\zmq.cpp(489): error V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize. The value being casted: '* count_'. src\zmq.cpp(510): error V127: An overflow of the 32-bit 'nread' variable is possible inside a long cycle which utilizes a memsize-type loop counter. I've silenced the warning on line 489 and ignored the other. But also, it looks to me like there's a serious bug here: The out-parameter "count_" is never set to zero before we start incrementing it. So its final value will always be between 1 and 2 times its initial value. The fix seems obvious.
a48751b3 · Arthur O'Dwyer · d588dbf2 · a48751b3
Commit a48751b3 authored Aug 24, 2012 by Arthur O'Dwyer
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

zmq.cpp src/zmq.cpp +3 -1

No files found.
--- a/src/zmq.cpp
+++ b/src/zmq.cpp
@@ -486,9 +486,11 @@ int zmq_recviov (void *s_, iovec *a_, size_t *count_, int flags_)
    }
    zmq::socket_base_t *s = (zmq::socket_base_t *) s_;

-    size_t count = (int) *count_;
+    size_t count = *count_;
    int nread = 0;
    bool recvmore = true;
+    
+    *count_ = 0;

    for (size_t i = 0; recvmore && i < count; ++i) {
        // Cheat! We never close any msg