Fix PR c++/19351 (operator new[] overflow)
Florian Weimer
fweimer@redhat.com
Fri Aug 10 15:03:00 GMT 2012
On 07/18/2012 04:31 PM, Florian Weimer wrote:
> On 07/18/2012 03:55 PM, Jason Merrill wrote:
>> On 06/26/2012 10:29 AM, Florian Weimer wrote:
>>> + /* Set to (size_t)-1 if the size check fails. */
>>> + if (size_check != NULL_TREE)
>>> + *size = fold_build3 (COND_EXPR, sizetype, size_check,
>>> + original_size, TYPE_MAX_VALUE (sizetype));
>>> VEC_safe_insert (tree, gc, *args, 0, *size);
>>> *args = resolve_args (*args, complain);
>>> if (*args == NULL)
>>> @@ -4022,7 +4030,11 @@ build_operator_new_call (tree fnname,
>>> VEC(tree,gc) **args,
>>> if (use_cookie)
>>> {
>>> /* Update the total size. */
>>> - *size = size_binop (PLUS_EXPR, *size, *cookie_size);
>>> + *size = size_binop (PLUS_EXPR, original_size, *cookie_size);
>>> + /* Set to (size_t)-1 if the size check fails. */
>>> + gcc_assert (size_check != NULL_TREE);
>>> + *size = fold_build3 (COND_EXPR, sizetype, size_check,
>>> + *size, TYPE_MAX_VALUE (sizetype));
>>
>> Looks like you're evaluating the size_check twice for types that use
>> cookies.
>
> I try to avoid this by using original_size instead of size on the first
> assignment under the use_cookie case.
>
>>> + /* Unconditionally substract the array size. This decreases the
>>> + maximum object size and is safe even if we choose not to use
>>> + a cookie after all. */
>>
>> "cookie size"
>
> Okay, I will fix that.
>
>> But since we're going to be deciding whether or not to use a cookie in
>> this function anyway, why not do it here?
>
> The decision to use a cookie is currently split between the two
> functions and there are several special cases (Java, ABI compatibility
> flags). I did not want to disturb this code too much because we do not
> have much test suite coverage in this area.
Ping?
I'm attaching the current patch.
--
Florian Weimer / Red Hat Product Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: operator-new-overflow.patch
Type: text/x-patch
Size: 11018 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/gcc-patches/attachments/20120810/fdb441ad/attachment.bin>
More information about the Gcc-patches
mailing list