operator new has an implicit *sizeof(type), and during that operation there can
occur an integer overflow. Example:
int* foo() {
return new int[0x40000000];
}
Compiled for a 32-bit target, this allocates 0 bytes. Most compilers do not
detect this either, but the Microsoft compiler instead generates code that in
case of overflow generates an allocation for 0xffffffff bytes that will then
fail.
g++ should also do that. It catches many subtle security bugs, and it costs
much less than for example -fstack-protector, which everyone agrees is a great
idea.
--
Summary: operator new susceptible to integer overflow
Product: gcc
Version: 4.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: felix-gcc at fefe dot de
GCC build triplet: x86_64-unknown-linux-gnu
GCC host triplet: x86_64-unknown-linux-gnu
GCC target triplet: x86_64-unknown-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35790
