Fix PR c++/19351 (operator new[] overflow)
Jason Merrill
jason@redhat.com
Wed Jul 18 13:55:00 GMT 2012
On 06/26/2012 10:29 AM, Florian Weimer wrote:
> + /* Set to (size_t)-1 if the size check fails. */
> + if (size_check != NULL_TREE)
> + *size = fold_build3 (COND_EXPR, sizetype, size_check,
> + original_size, TYPE_MAX_VALUE (sizetype));
> VEC_safe_insert (tree, gc, *args, 0, *size);
> *args = resolve_args (*args, complain);
> if (*args == NULL)
> @@ -4022,7 +4030,11 @@ build_operator_new_call (tree fnname, VEC(tree,gc) **args,
> if (use_cookie)
> {
> /* Update the total size. */
> - *size = size_binop (PLUS_EXPR, *size, *cookie_size);
> + *size = size_binop (PLUS_EXPR, original_size, *cookie_size);
> + /* Set to (size_t)-1 if the size check fails. */
> + gcc_assert (size_check != NULL_TREE);
> + *size = fold_build3 (COND_EXPR, sizetype, size_check,
> + *size, TYPE_MAX_VALUE (sizetype));
Looks like you're evaluating the size_check twice for types that use
cookies.
> + /* Unconditionally substract the array size. This decreases the
> + maximum object size and is safe even if we choose not to use
> + a cookie after all. */
"cookie size"
But since we're going to be deciding whether or not to use a cookie in
this function anyway, why not do it here?
Jason
More information about the Gcc-patches
mailing list