public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "fw at deneb dot enyo dot de" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug c++/19351] New: operator new[] can return heap blocks which are too small Date: Sun, 09 Jan 2005 22:18:00 -0000 [thread overview] Message-ID: <20050109221816.19351.fw@deneb.enyo.de> (raw) operator new[] sometimes returns pointers to heap blocks which are too small. When a new array is allocated, the C++ run-time has to calculate its size. The product may exceed the maximum value which can be stored in a machine register. This error is ignored, and the truncated value is used for the heap allocation. This may lead to heap overflows and therefore security bugs. (See http://cert.uni-stuttgart.de/advisories/calloc.php for further references.) The test case below uses a user-defined operator new[] to test for the presence of this problem. However, the problem itself occurs also with the default operator new[], but it is probably harder to write a portable test case. #include <testsuite_hooks.h> struct foo { char data[16]; void* operator new[] (size_t size) { VERIFY(size != sizeof(foo)); VERIFY (false); return malloc(size); } }; int main() { size_t size = size_t (-1) / sizeof(foo) + 2; try { foo* f = new foo[size]; VERIFY (f == 0); VERIFY (false); } catch(std::bad_alloc&) { return 0; } } -- Summary: operator new[] can return heap blocks which are too small Product: gcc Version: 3.4.3 Status: UNCONFIRMED Severity: normal Priority: P2 Component: c++ AssignedTo: unassigned at gcc dot gnu dot org ReportedBy: fw at deneb dot enyo dot de CC: gcc-bugs at gcc dot gnu dot org GCC build triplet: i686-pc-linux-gnu GCC host triplet: i686-pc-linux-gnu GCC target triplet: i686-pc-linux-gnu http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351
next reply other threads:[~2005-01-09 22:18 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2005-01-09 22:18 fw at deneb dot enyo dot de [this message] 2005-01-09 22:25 ` [Bug c++/19351] " pinskia at gcc dot gnu dot org 2005-01-09 22:35 ` fw at deneb dot enyo dot de 2005-01-09 22:45 ` pinskia at gcc dot gnu dot org 2005-01-09 22:47 ` pinskia at gcc dot gnu dot org 2005-01-09 22:48 ` bangerth at dealii dot org 2005-01-09 23:07 ` fw at deneb dot enyo dot de 2005-01-09 23:12 ` pinskia at gcc dot gnu dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20050109221816.19351.fw@deneb.enyo.de \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).