This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c++/19351] New: operator new[] can return heap blocks which are too small
- From: "fw at deneb dot enyo dot de" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 9 Jan 2005 22:18:17 -0000
- Subject: [Bug c++/19351] New: operator new[] can return heap blocks which are too small
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
operator new[] sometimes returns pointers to heap blocks which are too small.
When a new array is allocated, the C++ run-time has to calculate its size. The
product may exceed the maximum value which can be stored in a machine register.
This error is ignored, and the truncated value is used for the heap allocation.
This may lead to heap overflows and therefore security bugs. (See
http://cert.uni-stuttgart.de/advisories/calloc.php for further references.)
The test case below uses a user-defined operator new[] to test for the presence
of this problem. However, the problem itself occurs also with the default
operator new[], but it is probably harder to write a portable test case.
#include <testsuite_hooks.h>
struct foo
{
char data[16];
void* operator new[] (size_t size)
{
VERIFY(size != sizeof(foo));
VERIFY (false);
return malloc(size);
}
};
int
main()
{
size_t size = size_t (-1) / sizeof(foo) + 2;
try
{
foo* f = new foo[size];
VERIFY (f == 0);
VERIFY (false);
}
catch(std::bad_alloc&)
{
return 0;
}
}
--
Summary: operator new[] can return heap blocks which are too
small
Product: gcc
Version: 3.4.3
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: c++
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: fw at deneb dot enyo dot de
CC: gcc-bugs at gcc dot gnu dot org
GCC build triplet: i686-pc-linux-gnu
GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351