summaryrefslogtreecommitdiffstats
path: root/libstdc++-v3
diff options
context:
space:
mode:
authorfw <fw@138bc75d-0d04-0410-961f-82ee72b054a4>2012-11-05 17:48:46 +0000
committerfw <fw@138bc75d-0d04-0410-961f-82ee72b054a4>2012-11-05 17:48:46 +0000
commit5fd168b60a241917f30526c8f5b87945e2a94b31 (patch)
tree9a13f9e7ac82123b90ffc03ec641ccc88a9e23ce /libstdc++-v3
parentdfd1bdace6e4d4aed998fe47ae60ad9dab4b8afc (diff)
downloadppe42-gcc-5fd168b60a241917f30526c8f5b87945e2a94b31.tar.gz
ppe42-gcc-5fd168b60a241917f30526c8f5b87945e2a94b31.zip
Detect overflow in size calculations in __cxa_vec_new{2,3}
2012-11-03 Florian Weimer <fweimer@redhat.com> * libsupc++/vec.cc (compute_size): New. (__cxa_vec_new2, __cxa_vec_new3): Use it. * testsuite/18_support/cxa_vec.cc: New. git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@193174 138bc75d-0d04-0410-961f-82ee72b054a4
Diffstat (limited to 'libstdc++-v3')
-rw-r--r--libstdc++-v3/ChangeLog6
-rw-r--r--libstdc++-v3/libsupc++/vec.cc22
-rw-r--r--libstdc++-v3/testsuite/18_support/cxa_vec.cc64
3 files changed, 88 insertions, 4 deletions
diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog
index 3ceefae51f7..2f02107bb63 100644
--- a/libstdc++-v3/ChangeLog
+++ b/libstdc++-v3/ChangeLog
@@ -1,3 +1,9 @@
+2012-11-03 Florian Weimer <fweimer@redhat.com>
+
+ * libsupc++/vec.cc (compute_size): New.
+ (__cxa_vec_new2, __cxa_vec_new3): Use it.
+ * testsuite/18_support/cxa_vec.cc: New.
+
2012-11-03 Robert Mason <rbmj@verizon.net>
* config/os/vxworks/os_defines.h:
diff --git a/libstdc++-v3/libsupc++/vec.cc b/libstdc++-v3/libsupc++/vec.cc
index 700c5ef431d..f9afd39df9b 100644
--- a/libstdc++-v3/libsupc++/vec.cc
+++ b/libstdc++-v3/libsupc++/vec.cc
@@ -1,7 +1,6 @@
// New abi Support -*- C++ -*-
-// Copyright (C) 2000, 2001, 2003, 2004, 2009, 2011
-// Free Software Foundation, Inc.
+// Copyright (C) 2000-2012 Free Software Foundation, Inc.
//
// This file is part of GCC.
//
@@ -59,6 +58,19 @@ namespace __cxxabiv1
globals->caughtExceptions = p->nextException;
globals->uncaughtExceptions += 1;
}
+
+ // Compute the total size with overflow checking.
+ std::size_t compute_size(std::size_t element_count,
+ std::size_t element_size,
+ std::size_t padding_size)
+ {
+ if (element_size && element_count > std::size_t(-1) / element_size)
+ throw std::bad_alloc();
+ std::size_t size = element_count * element_size;
+ if (size + padding_size < size)
+ throw std::bad_alloc();
+ return size + padding_size;
+ }
}
// Allocate and construct array.
@@ -83,7 +95,8 @@ namespace __cxxabiv1
void *(*alloc) (std::size_t),
void (*dealloc) (void *))
{
- std::size_t size = element_count * element_size + padding_size;
+ std::size_t size
+ = compute_size(element_count, element_size, padding_size);
char *base = static_cast <char *> (alloc (size));
if (!base)
return base;
@@ -124,7 +137,8 @@ namespace __cxxabiv1
void *(*alloc) (std::size_t),
void (*dealloc) (void *, std::size_t))
{
- std::size_t size = element_count * element_size + padding_size;
+ std::size_t size
+ = compute_size(element_count, element_size, padding_size);
char *base = static_cast<char *>(alloc (size));
if (!base)
return base;
diff --git a/libstdc++-v3/testsuite/18_support/cxa_vec.cc b/libstdc++-v3/testsuite/18_support/cxa_vec.cc
new file mode 100644
index 00000000000..08713f16894
--- /dev/null
+++ b/libstdc++-v3/testsuite/18_support/cxa_vec.cc
@@ -0,0 +1,64 @@
+// { dg-do run }
+// Avoid use of none-overridable new/delete operators in shared
+// { dg-options "-static" { target *-*-mingw* } }
+// Test __cxa_vec routines
+// Copyright (C) 2000-2012 Free Software Foundation, Inc.
+// Contributed by Nathan Sidwell 7 Apr 2000 <nathan@nathan@codesourcery.com>
+
+#include <cxxabi.h>
+#include <stdio.h>
+#include <new>
+#include <stdlib.h>
+#include <setjmp.h>
+
+// Allocate enough padding to hold an array cookie.
+#ifdef __ARM_EABI__
+static const size_t padding = 8;
+#else
+static const size_t padding = (sizeof (std::size_t));
+#endif
+
+// our pseudo ctors and dtors
+static abi::__cxa_cdtor_return_type ctor (void *x)
+{
+ abort ();
+}
+
+static abi::__cxa_cdtor_return_type dtor (void *x)
+{
+ abort ();
+}
+
+// allocate an array whose size causes an overflow during multiplication
+void test1 ()
+{
+ static const std::size_t large_size =
+ std::size_t(1) << (sizeof(std::size_t) * 8 - 2);
+ try
+ {
+ abi::__cxa_vec_new (large_size, 8, 0, ctor, dtor);
+ abort ();
+ }
+ catch (std::bad_alloc &)
+ {
+ }
+}
+
+// allocate an array whose size causes an overflow during addition
+void test2 ()
+{
+ try
+ {
+ abi::__cxa_vec_new (std::size_t(-1) / 4, 4, padding, ctor, dtor);
+ abort ();
+ }
+ catch (std::bad_alloc &)
+ {
+ }
+}
+
+int main ()
+{
+ test1 ();
+ test2 ();
+}
OpenPOWER on IntegriCloud