oss-sec mailing list archives

Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)|

From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 08 Nov 2019 20:20:55 +0100

* Russ Allbery:

The C standard says this shouldn't be the default, but software that cares
about avoiding undefined behavior should consider adding -fwrapv, or
carefully writing the check to avoid overflow (something that, sadly, one
needs to become expert in to use C relatively safely).


The C standard doesn't *require* a particular behavior (for non-atomic
integers).  Each time this comes up in the committees, more strict
requirements do not make it into the text.  For example, the recent
P0907R4 for C++, “Signed Integers are Two’s Complement”
<http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2018/p0907r4.html>
does not require it, either:

| /Status-quo/ If a signed operation would naturally produce a value
| that is not within the range of the result type, the behavior is
| undefined.

Current thread:

Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| Georgi Guninski (Nov 08)
- Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| John Haxby (Nov 08)
  - Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| John Haxby (Nov 08)
- Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| Russ Allbery (Nov 08)
  - Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| Florian Weimer (Nov 08)