I have one more example similar to PR86259, that resembles IMHO real world code:
Consider the following: int fun (char *p) { char buf[16]; assert(strlen(p) < 4); //here: security relevant check sprintf(buf, "echo %s - %s", p, p); //here: security relevant code return system(buf); } What is wrong with the assertion? Nothing, except it is removed, when this function is called from untrusted code: untrused_fun () { char b[2] = "ab"; fun(b); } !!!! don't try to execute that: after "ab" there can be "; rm -rF / ;" on your stack!!!! Even the slightly more safe check "assert(strnlen(p, 4) < 4);" would have been removed. Now that is a simple error and it would be easy to fix -- normally. But when the assertion is removed, the security relevant code is allowed to continue where it creates more damage and is suddenly much harder to debug. So, I start to believe that strlen range assumptions are unsafe, unless we can prove that the string is in fact zero terminated. I would like to guard the strlen range checks with a new option, maybe -fassume-zero-terminated-char-arrays, and enable that under -Ofast only. What do you think? Thanks Bernd.