------- Comment #3 from manu at gcc dot gnu dot org 2008-04-01 02:53 ------- (In reply to comment #2) > > If the size_t given to memcpy is truncated, that does not overwrite a buffer. > But if the size_t given to malloc is truncated, that is a pretty surefire way > to find a security issue.
I guess that depends on how the conversion occurs: int i = -5; ... memcpy (dest, src, i); I would have trouble defining which cases are security issues. On the other hand, the truncation may actually take place far from where malloc is called: size_t len = 999999999999999LL; ... buffer = malloc (len); not sure how your proposal could handle that. -- manu at gcc dot gnu dot org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |manu at gcc dot gnu dot org http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592