This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Fix PR c++/19351 (operator new[] overflow)

From: Jason Merrill <jason at redhat dot com>
To: Florian Weimer <fweimer at redhat dot com>
Cc: gcc-patches at gcc dot gnu dot org
Date: Wed, 18 Jul 2012 09:55:01 -0400
Subject: Re: Fix PR c++/19351 (operator new[] overflow)
References: <4FD9B4F6.4030200@redhat.com> <4FE9C75A.8030000@redhat.com>

On 06/26/2012 10:29 AM, Florian Weimer wrote:

+  /* Set to (size_t)-1 if the size check fails.  */
+  if (size_check != NULL_TREE)
+    *size = fold_build3 (COND_EXPR, sizetype, size_check,
+			 original_size, TYPE_MAX_VALUE (sizetype));
    VEC_safe_insert (tree, gc, *args, 0, *size);
    *args = resolve_args (*args, complain);
    if (*args == NULL)
@@ -4022,7 +4030,11 @@ build_operator_new_call (tree fnname, VEC(tree,gc) **args,
         if (use_cookie)
  	 {
  	   /* Update the total size.  */
-	   *size = size_binop (PLUS_EXPR, *size, *cookie_size);
+	   *size = size_binop (PLUS_EXPR, original_size, *cookie_size);
+	   /* Set to (size_t)-1 if the size check fails.  */
+	   gcc_assert (size_check != NULL_TREE);
+	   *size = fold_build3 (COND_EXPR, sizetype, size_check,
+				*size, TYPE_MAX_VALUE (sizetype));

Looks like you're evaluating the size_check twice for types that use cookies.

+      /* Unconditionally substract the array size.  This decreases the
+	 maximum object size and is safe even if we choose not to use
+	 a cookie after all.  */

"cookie size"

But since we're going to be deciding whether or not to use a cookie in this function anyway, why not do it here?

Jason

Follow-Ups:
- Re: Fix PR c++/19351 (operator new[] overflow)
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]