User account creation filtered due to spam.

Bug 35790 - operator new susceptible to integer overflow
Summary: operator new susceptible to integer overflow
Status: RESOLVED DUPLICATE of bug 19351
Alias: None
Product: gcc
Classification: Unclassified
Component: c++ (show other bugs)
Version: 4.3.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-01 20:02 UTC by felix-gcc
Modified: 2008-04-01 20:46 UTC (History)
4 users (show)

See Also:
Host: x86_64-unknown-linux-gnu
Target: x86_64-unknown-linux-gnu
Build: x86_64-unknown-linux-gnu
Known to work:
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description felix-gcc 2008-04-01 20:02:33 UTC
operator new has an implicit *sizeof(type), and during that operation there can occur an integer overflow.  Example:

int* foo() {
  return new int[0x40000000];
}

Compiled for a 32-bit target, this allocates 0 bytes.  Most compilers do not detect this either, but the Microsoft compiler instead generates code that in case of overflow generates an allocation for 0xffffffff bytes that will then fail.

g++ should also do that.  It catches many subtle security bugs, and it costs much less than for example -fstack-protector, which everyone agrees is a great idea.
Comment 1 Andrew Pinski 2008-04-01 20:46:09 UTC
There is no overflow here really as sizeof is unsigned and unsigned types don't overflow, they wrap.

*** This bug has been marked as a duplicate of 19351 ***