From 6d0ae0359c02628fa469d393739d564a630874b1 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 5 Nov 2012 18:48:46 +0100 Subject: [PATCH] Detect overflow in size calculations in __cxa_vec_new{2,3} 2012-11-03 Florian Weimer * libsupc++/vec.cc (compute_size): New. (__cxa_vec_new2, __cxa_vec_new3): Use it. * testsuite/18_support/cxa_vec.cc: New. From-SVN: r193174 --- libstdc++-v3/ChangeLog | 6 +++ libstdc++-v3/libsupc++/vec.cc | 22 ++++++++-- libstdc++-v3/testsuite/18_support/cxa_vec.cc | 64 ++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 libstdc++-v3/testsuite/18_support/cxa_vec.cc diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog index 3ceefae..2f02107 100644 --- a/libstdc++-v3/ChangeLog +++ b/libstdc++-v3/ChangeLog @@ -1,3 +1,9 @@ +2012-11-03 Florian Weimer + + * libsupc++/vec.cc (compute_size): New. + (__cxa_vec_new2, __cxa_vec_new3): Use it. + * testsuite/18_support/cxa_vec.cc: New. + 2012-11-03 Robert Mason * config/os/vxworks/os_defines.h: diff --git a/libstdc++-v3/libsupc++/vec.cc b/libstdc++-v3/libsupc++/vec.cc index 700c5ef..f9afd39 100644 --- a/libstdc++-v3/libsupc++/vec.cc +++ b/libstdc++-v3/libsupc++/vec.cc @@ -1,7 +1,6 @@ // New abi Support -*- C++ -*- -// Copyright (C) 2000, 2001, 2003, 2004, 2009, 2011 -// Free Software Foundation, Inc. +// Copyright (C) 2000-2012 Free Software Foundation, Inc. // // This file is part of GCC. // @@ -59,6 +58,19 @@ namespace __cxxabiv1 globals->caughtExceptions = p->nextException; globals->uncaughtExceptions += 1; } + + // Compute the total size with overflow checking. + std::size_t compute_size(std::size_t element_count, + std::size_t element_size, + std::size_t padding_size) + { + if (element_size && element_count > std::size_t(-1) / element_size) + throw std::bad_alloc(); + std::size_t size = element_count * element_size; + if (size + padding_size < size) + throw std::bad_alloc(); + return size + padding_size; + } } // Allocate and construct array. @@ -83,7 +95,8 @@ namespace __cxxabiv1 void *(*alloc) (std::size_t), void (*dealloc) (void *)) { - std::size_t size = element_count * element_size + padding_size; + std::size_t size + = compute_size(element_count, element_size, padding_size); char *base = static_cast (alloc (size)); if (!base) return base; @@ -124,7 +137,8 @@ namespace __cxxabiv1 void *(*alloc) (std::size_t), void (*dealloc) (void *, std::size_t)) { - std::size_t size = element_count * element_size + padding_size; + std::size_t size + = compute_size(element_count, element_size, padding_size); char *base = static_cast(alloc (size)); if (!base) return base; diff --git a/libstdc++-v3/testsuite/18_support/cxa_vec.cc b/libstdc++-v3/testsuite/18_support/cxa_vec.cc new file mode 100644 index 0000000..08713f1 --- /dev/null +++ b/libstdc++-v3/testsuite/18_support/cxa_vec.cc @@ -0,0 +1,64 @@ +// { dg-do run } +// Avoid use of none-overridable new/delete operators in shared +// { dg-options "-static" { target *-*-mingw* } } +// Test __cxa_vec routines +// Copyright (C) 2000-2012 Free Software Foundation, Inc. +// Contributed by Nathan Sidwell 7 Apr 2000 + +#include +#include +#include +#include +#include + +// Allocate enough padding to hold an array cookie. +#ifdef __ARM_EABI__ +static const size_t padding = 8; +#else +static const size_t padding = (sizeof (std::size_t)); +#endif + +// our pseudo ctors and dtors +static abi::__cxa_cdtor_return_type ctor (void *x) +{ + abort (); +} + +static abi::__cxa_cdtor_return_type dtor (void *x) +{ + abort (); +} + +// allocate an array whose size causes an overflow during multiplication +void test1 () +{ + static const std::size_t large_size = + std::size_t(1) << (sizeof(std::size_t) * 8 - 2); + try + { + abi::__cxa_vec_new (large_size, 8, 0, ctor, dtor); + abort (); + } + catch (std::bad_alloc &) + { + } +} + +// allocate an array whose size causes an overflow during addition +void test2 () +{ + try + { + abi::__cxa_vec_new (std::size_t(-1) / 4, 4, padding, ctor, dtor); + abort (); + } + catch (std::bad_alloc &) + { + } +} + +int main () +{ + test1 (); + test2 (); +} -- 2.7.4