https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119132
Bug ID: 119132
Summary: off-by-one error in -fsanitizer=bounds when addressing
a pointer instead of an integral
Product: gcc
Version: 15.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: kees at outflux dot net
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Target Milestone: ---
The bounds sanitizer does not trip when accessing the address of the last array
element (but does if it accessed as an integral). For example:
#include <stdlib.h>
#include <stdio.h>
#define SIZE 3
struct foo {
int count;
int array[SIZE];
};
volatile int zero = 0; // hide const expression size from optimizer
int main(int argc, char *argv[]) {
int size = SIZE + zero;
// include trailing space to avoid segfaults on "out of bounds" access
struct foo *p = calloc(1, sizeof(*p) + sizeof(int) + sizeof(int));
// this correctly trips sanitizer:
int val = p->array[size];
printf("%d\n", val);
// this does not?!
int *valp = &p->array[size];
printf("%p %d\n", valp, *valp);
// but this does...
int *val2 = &p->array[size + 1];
printf("%p %d\n", val2, *val2);
return 0;
}
./example.c:19:23: runtime error: index 3 out of bounds for type 'int [3]'
0
0xd0b42c0 0
./example.c:27:26: runtime error: index 4 out of bounds for type 'int [3]'
0xd0b42c4 0
This was noticed while using the "counted_by" attribute on a flexible array,
but it is present even with fixed-size arrays.
