Fix PR c++/19351 (operator new[] overflow)

Jason Merrill jason@redhat.com
Wed Jul 18 13:55:00 GMT 2012


On 06/26/2012 10:29 AM, Florian Weimer wrote:
> +  /* Set to (size_t)-1 if the size check fails.  */
> +  if (size_check != NULL_TREE)
> +    *size = fold_build3 (COND_EXPR, sizetype, size_check,
> +			 original_size, TYPE_MAX_VALUE (sizetype));
>     VEC_safe_insert (tree, gc, *args, 0, *size);
>     *args = resolve_args (*args, complain);
>     if (*args == NULL)
> @@ -4022,7 +4030,11 @@ build_operator_new_call (tree fnname, VEC(tree,gc) **args,
>          if (use_cookie)
>   	 {
>   	   /* Update the total size.  */
> -	   *size = size_binop (PLUS_EXPR, *size, *cookie_size);
> +	   *size = size_binop (PLUS_EXPR, original_size, *cookie_size);
> +	   /* Set to (size_t)-1 if the size check fails.  */
> +	   gcc_assert (size_check != NULL_TREE);
> +	   *size = fold_build3 (COND_EXPR, sizetype, size_check,
> +				*size, TYPE_MAX_VALUE (sizetype));

Looks like you're evaluating the size_check twice for types that use 
cookies.

> +      /* Unconditionally substract the array size.  This decreases the
> +	 maximum object size and is safe even if we choose not to use
> +	 a cookie after all.  */

"cookie size"

But since we're going to be deciding whether or not to use a cookie in 
this function anyway, why not do it here?

Jason



More information about the Gcc-patches mailing list