https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065
--- Comment #5 from Alexander Cherepanov <ch3root at openwall dot com> --- On 2015-10-27 02:27, joseph at codesourcery dot com wrote: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065 > > --- Comment #4 from joseph at codesourcery dot com <joseph at codesourcery > dot com> --- > On Mon, 26 Oct 2015, ch3root at openwall dot com wrote: > >> The core issue is an overflow in size computations which is not limited to >> VLA. >> You can as easily get a crash with non-VLA-array+sizeof+malloc: >> >> #define N /* complex computation leading to.. */ (UINT_MAX / sizeof(int) + 2) >> int (*p)[N]; > > That sounds like a completely separate bug. Please file a separate bug in > Bugzilla for it. Any construction of a non-VLA type whose size is half or > more of the address space should receive a compile-time error, like you > get if you don't use a pointer here. Ok, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68107 . > VLA size overflow, however, is undefined behavior at runtime, not compile > time, hence a matter for ubsan. VLA size overflow is very similar to overflow in "new". Shouldn't it be handled in a similar way?