| Issue |
129951
|
| Summary |
off-by-one error in -fsanitizer=bounds when addressing a pointer instead of an integral
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
kees
|
The bounds sanitizer does not trip when accessing the address of the last array element (but does if it accessed as an integral). For example:
#include <stdlib.h>
#include <stdio.h>
#define SIZE 3
struct foo {
int count;
int array[SIZE];
};
volatile int zero = 0; // hide const _expression_ size from optimizer
int main(int argc, char *argv[]) {
int size = SIZE + zero;
// include trailing space to avoid segfaults on "out of bounds" access
struct foo *p = calloc(1, sizeof(*p) + sizeof(int) + sizeof(int));
// this correctly trips sanitizer:
int val = p->array[size];
printf("%d\n", val);
// this does not?!
int *valp = &p->array[size];
printf("%p %d\n", valp, *valp);
// but this does...
int *val2 = &p->array[size + 1];
printf("%p %d\n", val2, *val2);
return 0;
}
Built with: -O2 -Wall -fstrict-flex-arrays=3 -fsanitize=bounds
./example.c:19:23: runtime error: index 3 out of bounds for type 'int [3]'
0
0xd0b42c0 0
./example.c:27:26: runtime error: index 4 out of bounds for type 'int [3]'
0xd0b42c4 0
This was noticed while using the "counted_by" attribute on a flexible array, but it is present even with fixed-size arrays.
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
