From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 31690 invoked by alias); 27 Oct 2015 00:06:20 -0000 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org Received: (qmail 31330 invoked by uid 55); 27 Oct 2015 00:06:15 -0000 From: "ch3root at openwall dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/68065] Size calculations for VLAs can overflow Date: Tue, 27 Oct 2015 00:06:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 5.2.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ch3root at openwall dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-10/txt/msg02185.txt.bz2 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065 --- Comment #5 from Alexander Cherepanov --- On 2015-10-27 02:27, joseph at codesourcery dot com wrote: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065 > > --- Comment #4 from joseph at codesourcery dot com --- > On Mon, 26 Oct 2015, ch3root at openwall dot com wrote: > >> The core issue is an overflow in size computations which is not limited to VLA. >> You can as easily get a crash with non-VLA-array+sizeof+malloc: >> >> #define N /* complex computation leading to.. */ (UINT_MAX / sizeof(int) + 2) >> int (*p)[N]; > > That sounds like a completely separate bug. Please file a separate bug in > Bugzilla for it. Any construction of a non-VLA type whose size is half or > more of the address space should receive a compile-time error, like you > get if you don't use a pointer here. Ok, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68107 . > VLA size overflow, however, is undefined behavior at runtime, not compile > time, hence a matter for ubsan. VLA size overflow is very similar to overflow in "new". Shouldn't it be handled in a similar way?