https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110848
--- Comment #17 from Aaron Ballman <aaron at aaronballman dot com> --- (In reply to Martin Uecker from comment #16) > I do not think -Wall should warn about GNU extensions when used with > -std=gnu++XX in C++ and I think it is annoying that clang does it now. It > only drives people to use alloca or other alternatives with worse safety > properties. > > And I think the security concerns for VLAs are largely based on a logical > fallacy: Because they appear in CVE is no reason to believe they caused it: > It is likely saying that people ICDs have more often cardiac arrests if > because of the ICDs. Any kind of dynamically sized buffer will appear in > CVEs because buffers are used to process data from the network. If you > discourage the one with the best potential for bounds checking people will > turn to worse options. This will not improve safety. > > But stack clash protection should become the default. In the time I opened this request, a new CVE related to VLAs came out: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-4039 Stack protection should become the default and it should certainly help mitigate issues, but VLAs are still a valid security concern IMO. So yes, this is intended to drive people to use alternatives (not necessarily `alloca`, which would be a strange choice of replacement for VLAs in C++ in 2023).
