[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security-related gcc bug

Michael Ströder writes:
> [Bug c/27180] New: pointer arithmetic overflow handling broken
> http://gcc.gnu.org/ml/gcc-bugs/2006-04/msg01297.html

That code, "(char *)buf + (unsigned long)-1", yields undefined
behavior if buf points at an object smaller than (unsigned long)-1
bytes.  Pointer arithmetic is only valid within a single object.

However the bug it is marked as a dup of, miscompiles valid code:
   int *start /* size 100 */, *tmp;
   for (tmp = start + 100; tmp > start; --tmp);
OpenLDAP has code which scans a struct berval backwards from
bv_val+bv_len to bv_val.