Bugzilla – Bug 14362
writeBin silently produces incorrect output for enormous objects
Last modified: 2010-08-19 17:04:36 UTC
It seems that the writeBin C code makes a memcpy call without checking for overflow when multiplying the length of an object ("len") by the number of bytes per element ("size").
For objects large enough to cause this overflow, if the value of "size * len" (as a signed int) is negative, you get a seg fault and at least know you have a problem. If it's non-negative, though, writeBin succeeds but silently leaves a portion of the output as 0.
# Setting n to 2^28 will generate a segfault in memcpy().
# Assuming .Machine$integer.max is 2^31 - 1.
n <- as.integer( 2^29 )
x <- rep( 1.0, n )
writeBin( x, "test_data.bin" )
y <- readBin( "test_data.bin", numeric(), n )
all( y == 0 ) # TRUE
First noticed on R version 2.11.1 (2010-05-31), x86_64-unknown-linux-gnu.
Such attempts are disallowed in 2.12.0. They cannot work for RAW output,
and for a connection there is no need to write more than 2GB in a single step.