35790 – operator new susceptible to integer overflow

Bug 35790 - operator new susceptible to integer overflow

Summary: operator new susceptible to integer overflow

Status:	RESOLVED DUPLICATE of bug 19351

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	c++ (show other bugs)
Version:	4.3.0

Importance:	P3 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-04-01 20:02 UTC by felix-gcc
Modified:	2008-04-01 20:46 UTC (History)
CC List:	4 users (show)

See Also:
Host:	x86_64-unknown-linux-gnu
Target:	x86_64-unknown-linux-gnu
Build:	x86_64-unknown-linux-gnu
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description felix-gcc 2008-04-01 20:02:33 UTC

operator new has an implicit *sizeof(type), and during that operation there can occur an integer overflow.  Example:

int* foo() {
  return new int[0x40000000];
}

Compiled for a 32-bit target, this allocates 0 bytes.  Most compilers do not detect this either, but the Microsoft compiler instead generates code that in case of overflow generates an allocation for 0xffffffff bytes that will then fail.

g++ should also do that.  It catches many subtle security bugs, and it costs much less than for example -fstack-protector, which everyone agrees is a great idea.

Comment 1 Andrew Pinski 2008-04-01 20:46:09 UTC

There is no overflow here really as sizeof is unsigned and unsigned types don't overflow, they wrap.

*** This bug has been marked as a duplicate of 19351 ***