operator new[] sometimes returns pointers to heap blocks which are too small. When a new array is allocated, the C++ run-time has to calculate its size. The product may exceed the maximum value which can be stored in a machine register. This error is ignored, and the truncated value is used for the heap allocation.
This may lead to heap overflows and therefore security bugs. (See http://cert.uni-stuttgart.de/advisories/calloc.php for further references.) The test case below uses a user-defined operator new[] to test for the presence of this problem. However, the problem itself occurs also with the default operator new[], but it is probably harder to write a portable test case. #include <testsuite_hooks.h> struct foo { char data[16]; void* operator new[] (size_t size) { VERIFY(size != sizeof(foo)); VERIFY (false); return malloc(size); } }; int main() { size_t size = size_t (-1) / sizeof(foo) + 2; try { foo* f = new foo[size]; VERIFY (f == 0); VERIFY (false); } catch(std::bad_alloc&) { return 0; } } -- Summary: operator new[] can return heap blocks which are too small Product: gcc Version: 3.4.3 Status: UNCONFIRMED Severity: normal Priority: P2 Component: c++ AssignedTo: unassigned at gcc dot gnu dot org ReportedBy: fw at deneb dot enyo dot de CC: gcc-bugs at gcc dot gnu dot org GCC build triplet: i686-pc-linux-gnu GCC host triplet: i686-pc-linux-gnu GCC target triplet: i686-pc-linux-gnu http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351
