https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065
Bug ID: 68065
Summary: Size calculations for VLAs can overflow
Product: gcc
Version: 5.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: ch3root at openwall dot com
Target Milestone: ---
The following program crashes while writing to a buffer:
#include <stdint.h>
#include <stdio.h>
int main(void)
{
size_t size = SIZE_MAX / sizeof(int) + 2;
int buf[size];
printf("%zu\n", sizeof(buf));
for (size_t i = 0; i < size; i++)
buf[i] = 1;
return 0;
}
(Compile without optimization or make sure the loop is not optimized away.)
It would be better to detect an overflow in the size calculation and crash
right away, before any harm is done.
While at it, size of VLAs could probably be limited to PRTDIFF_MAX to be in
line with ordinary arrays.
