[Bug libstdc++/88673] Overflowed array index read error

Thu, 03 Jan 2019 09:38:22 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88673

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |WAITING
   Last reconfirmed|                            |2019-01-03
     Ever confirmed|0                           |1

--- Comment #1 from Jonathan Wakely <redi at gcc dot gnu.org> ---
GCC 6.x is no longer supported, and 6.2.0 is not even the latest release from
the 6.x branch, so it's not very useful to report bugs against that version.


(In reply to Venkatesh Prabhu from comment #0)
> https://github.com/gcc-mirror/gcc/blob/gcc-6_2_0-release/libstdc++-v3/
> include/bits/random.tcc#L399
> 
> 
> Coverity report:
> 
> 399    _M_gen_rand(void)
> 400    {
> 401      const _UIntType __upper_mask = (~_UIntType()) << __r;
> 402      const _UIntType __lower_mask = ~__upper_mask;
> 403
>       1. Condition __k < 227UL /* 624UL - 397UL */, taking true branch.
>       4. Condition __k < 227UL /* 624UL - 397UL */, taking true branch.
>       7. Condition __k < 227UL /* 624UL - 397UL */, taking false branch.
> 404      for (size_t __k = 0; __k < (__n - __m); ++__k)
> 405        {
> 406          _UIntType __y = ((_M_x[__k] & __upper_mask)
> 407                           | (_M_x[__k + 1] & __lower_mask));
>       2. Condition __y & 1, taking true branch.
>       5. Condition __y & 1, taking true branch.
> 408          _M_x[__k] = (_M_x[__k + __m] ^ (__y >> 1)
> 409                       ^ ((__y & 0x01) ? __a : 0));
>       3. Jumping back to the beginning of the loop.
>       6. Jumping back to the beginning of the loop.
> 410        }
> 411
>       8. Condition __k < 623UL /* 624UL - 1 */, taking true branch.
> 412      for (size_t __k = (__n - __m); __k < (__n - 1); ++__k)
> 413        {
> 414          _UIntType __y = ((_M_x[__k] & __upper_mask)
> 415                           | (_M_x[__k + 1] & __lower_mask));
>       9. overflow: Add operation overflows on operands __k and
> 18446744073709551389UL.

The operands are unsigned, so cannot overflow.

>       
> CID 4797118 (#1-2 of 2): Overflowed array index read (INTEGER_OVERFLOW)
> 10. overflow_sink: Overflowed or truncated value (or a value computed from
> an overflowed or truncated value) __k + 18446744073709551389UL used as array
> index.
> 416          _M_x[__k] = (_M_x[__k + (__m - __n)] ^ (__y >> 1)

The range of values of __k is [n-m, n-1) so the range of indices is
[n-m+m-n, n-1) i.e. [0,n-1) which does not go out of range.

This seems like a Coverity bug.



> 417                       ^ ((__y & 0x01) ? __a : 0));
> 418        }

Reply via email to