US-CERT Vulnerability Note VU#162289
Robert Dewar
dewar@adacore.com
Mon Apr 14 12:08:00 GMT 2008
Richard Guenther wrote:
> In absence of any declared object (like with this testcase where we just
> have an incoming pointer to some unknown object) the compiler can
> still assume that any valid object ends at the end of the address space.
> Thus, an object either declared or allocated via malloc never "wraps"
> around to address zero. Thus, ptr + int never "overflows".
Indeed,
An interesting case is the special allowance to point just past the
end of an array if the pointer is not deferenced, this allows the
C idiom
for (x = arr; x < &arr[10]; x++) ...
where arr has bounds 0..9, the limit pointer is used only for
testing, and this test must be valid. This means that you can't
have an array allocated up to the extreme end of the address
space if this would not work properly. I remember this issue
arising on the 286, where the maximum size of an array was
one element less than 64K bytes on one compiler to avoid
this anomoly.
More information about the Gcc
mailing list