[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: security-related gcc bug

To: Michael Ströder <michael@stroeder.com>
Subject: Re: security-related gcc bug
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 7 Apr 2008 13:11:37 +0200
Cc: OpenLDAP Devel <openldap-devel@openldap.org>
In-reply-to: <47F9D652.2030408@stroeder.com>
References: <47F9D652.2030408@stroeder.com>

Michael Ströder writes:
> [Bug c/27180] New: pointer arithmetic overflow handling broken
> http://gcc.gnu.org/ml/gcc-bugs/2006-04/msg01297.html

That code, "(char *)buf + (unsigned long)-1", yields undefined
behavior if buf points at an object smaller than (unsigned long)-1
bytes.  Pointer arithmetic is only valid within a single object.

However the bug it is marked as a dup of, miscompiles valid code:
   int *start /* size 100 */, *tmp;
   ...
   for (tmp = start + 100; tmp > start; --tmp);
OpenLDAP has code which scans a struct berval backwards from
bv_val+bv_len to bv_val.

-- 
Hallvard

Follow-Ups:
- Re: security-related gcc bug
  - From: Howard Chu <hyc@symas.com>

References:
- security-related gcc bug
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: OpenLDAP Developer's Day - Dublin 2008 (early call for participation)
Next by Date: Re: security-related gcc bug
Index(es):
- Chronological
- Thread