[Bug c++/19351] New: operator new can return heap blocks which are too small
fw at deneb dot enyo dot de
Sun Jan 9 22:18:00 GMT 2005
operator new sometimes returns pointers to heap blocks which are too small.
When a new array is allocated, the C++ run-time has to calculate its size. The
product may exceed the maximum value which can be stored in a machine register.
This error is ignored, and the truncated value is used for the heap allocation.
This may lead to heap overflows and therefore security bugs. (See
http://cert.uni-stuttgart.de/advisories/calloc.php for further references.)
The test case below uses a user-defined operator new to test for the presence
of this problem. However, the problem itself occurs also with the default
operator new, but it is probably harder to write a portable test case.
void* operator new (size_t size)
VERIFY(size != sizeof(foo));
size_t size = size_t (-1) / sizeof(foo) + 2;
foo* f = new foo[size];
VERIFY (f == 0);
Summary: operator new can return heap blocks which are too
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: fw at deneb dot enyo dot de
CC: gcc-bugs at gcc dot gnu dot org
GCC build triplet: i686-pc-linux-gnu
GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu
More information about the Gcc-bugs