> On Mar 4, 2025, at 23:57, Kees Cook <k...@kernel.org> wrote:
>
> #include <stdlib.h>
> #include <stdio.h>
>
> struct foo {
> int count;
> int array[] __attribute__((__counted_by__(count)));
> };
>
> int main(int argc, char *argv[]) {
> int num_elems = 2 + argc;
>
> struct foo *p = malloc(sizeof(*p) + num_elems * sizeof(*p->array) +
> sizeof(int));
> p->count = num_elems;
>
> // this correctly trips sanitizer:
> int val = p->array[num_elems];
> printf("%d\n", val);
>
> // this does not?!
> int *valp = &p->array[num_elems];
> printf("%p %d\n", valp, *valp);
>
> return 0;
> }
