[Date Prev][Date Next]
Re: security-related gcc bug
Michael Ströder writes:
> [Bug c/27180] New: pointer arithmetic overflow handling broken
That code, "(char *)buf + (unsigned long)-1", yields undefined
behavior if buf points at an object smaller than (unsigned long)-1
bytes. Pointer arithmetic is only valid within a single object.
However the bug it is marked as a dup of, miscompiles valid code:
int *start /* size 100 */, *tmp;
for (tmp = start + 100; tmp > start; --tmp);
OpenLDAP has code which scans a struct berval backwards from
bv_val+bv_len to bv_val.