On Sat, Apr 07, 2007 at 12:15:10PM +0200, Florian Weimer wrote: > * Karl Chen: > > > "4 * n", unchecked, is vulnerable to integer overflow. On IA-32, > > "new int[0x40000001]" becomes equivalent to "new int[1]". I've > > verified this on gcc-2.95 through 4.1. For larger objects the > > effects are exaggerated; smaller counts are needed to overflow. > > This PR19351, by the way.
Also by the way, it's triggered in the libstdc++ testsuite in at least one place :-) I can't remember which test any more, but last month I discovered that there is a use of operator new[] with a subscript of INT_MAX - 1 (INT_MAX is handled specially). In general this still works out to be more memory than can be allocated and the test tests what it wanted to (bad_alloc). -- Daniel Jacobowitz CodeSourcery
