https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112539
Bug ID: 112539 Summary: a struct with an array of unknown size at the end allows writing past end of the struct Product: gcc Version: 11.4.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: pgmer6809 at yahoo dot com Target Milestone: --- Created attachment 56590 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56590&action=edit the output of the gcc --save-temps command See the manpage for sizeof operator at: https://man7.org/linux/man-pages/man3/offsetof.3.html it gives an example of code that shows the size of a struct defined as: struct s { int i; char c; double d; char a[]; }; struct s S; in their sample program (attached?) the output shows that the offset of a[] is given as 16; the size of the struct is also given as 16. This is clearly incorrect. Changing a[] to either simply a, or even a[1] makes the size of the struct 24 bytes which is correct. I modified their program to actually try writing to locations S.a[0] and S.a[1] successfully. The code compiles and runs, and even reports the correct values when I try to print them out. So (a) is this a bug in the sizeof operator? (b) could one use the fact that we can write beyond the end of the struct as the basis for some sort of exploit? attached is the file with the gcc output from the --save-temps that you want me to include with the bug report. The actual output from the screen is below. Hope this helps. Regards, Greg Morse; pgmer6...@yahoo.com here is the printed output of the program greg21@trojan:/tmp$ ./a.out offsets: i=0; c=4; d=8 a=16 sizeof(struct s)=16 sizeof Int = 4, char=1, double=8, The value of S.a is 5A:Z, W The address of S is 0x7fff9be5d070 ; The address of S.a is 0x7fff9be5d080 The address of S.a[0] is 0x7fff9be5d080, and that of S.a[1] is: 0x7fff9be5d081