[Bug sanitizer/119132] off-by-one error in -fsanitizer=bounds when addressing a pointer instead of an integral

kees at outflux dot net via Gcc-bugs Wed, 05 Mar 2025 14:51:08 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119132


Kees Cook <kees at outflux dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|INVALID                     |---
             Status|RESOLVED                    |UNCONFIRMED

--- Comment #5 from Kees Cook <kees at outflux dot net> ---
(In reply to Andrew Pinski from comment #3)
> On &p->array[size + 1];
> 
> The instrument is to make sure that would form a valid range of the index.
> Which is only 0...size.
> 
> The instrumentation is not done on the pointer deference later on either.

What? No, only 0...size-1 are valid. The bounds sanitizer trips for
p->array[size]. That's correct behavior. But not for &(p->array[size]). That's
unexpected and dangerous.

[Bug sanitizer/119132] off-by-one error in -fsanitizer=bounds when addressing a pointer instead of an integral

Reply via email to