[Bug c++/19351] New: operator new[] can return heap blocks which are too small

fw at deneb dot enyo dot de gcc-bugzilla@gcc.gnu.org
Sun Jan 9 22:18:00 GMT 2005


operator new[] sometimes returns pointers to heap blocks which are too small. 
When a new array is allocated, the C++ run-time has to calculate its size.  The
product may exceed the maximum value which can be stored in a machine register.
 This error is ignored, and the truncated value is used for the heap allocation.

This may lead to heap overflows and therefore security bugs.  (See
http://cert.uni-stuttgart.de/advisories/calloc.php for further references.)

The test case below uses a user-defined operator new[] to test for the presence
of this problem.  However, the problem itself occurs also with the default
operator new[], but it is probably harder to write a portable test case.

#include <testsuite_hooks.h>

struct foo
{
  char data[16];
  void* operator new[] (size_t size)
  {
    VERIFY(size != sizeof(foo));
    VERIFY (false);
    return malloc(size);
  }
};

int
main()
{
  size_t size = size_t (-1) / sizeof(foo) + 2;
  try
    {
      foo* f = new foo[size];
      VERIFY (f == 0);
      VERIFY (false);
    }
  catch(std::bad_alloc&)
    {
      return 0;
    }
}

-- 
           Summary: operator new[] can return heap blocks which are too
                    small
           Product: gcc
           Version: 3.4.3
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: c++
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: fw at deneb dot enyo dot de
                CC: gcc-bugs at gcc dot gnu dot org
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351



More information about the Gcc-bugs mailing list