From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 70174 invoked by alias); 27 Oct 2015 00:15:22 -0000 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org Received: (qmail 70142 invoked by uid 55); 27 Oct 2015 00:15:17 -0000 From: "joseph at codesourcery dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/68065] Size calculations for VLAs can overflow Date: Tue, 27 Oct 2015 00:15:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 5.2.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: joseph at codesourcery dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-10/txt/msg02187.txt.bz2 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065 --- Comment #6 from joseph at codesourcery dot com --- On Tue, 27 Oct 2015, ch3root at openwall dot com wrote: > > VLA size overflow, however, is undefined behavior at runtime, not compile > > time, hence a matter for ubsan. > > VLA size overflow is very similar to overflow in "new". Shouldn't it be > handled in a similar way? I'm thinking of it as essentially like stack overflow, where it's traditionally been the user's job to bound their stack allocations. I think ubsan should enable all of (VLA size overflow checks, stack checking for fixed-size allocations to ensure the amount of stack space allocated in one go is small enough that overflow is guaranteed to be detected, similar checks for variable size allocations whether from VLAs or alloca). Of course separate options for various cases may make sense as well.