https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92589
--- Comment #6 from Kees Cook <kees at outflux dot net> --- (In reply to Jakub Jelinek from comment #4) > (In reply to Kees Cook from comment #2) > > Is there anything to enforce a strict "only consider empty array size as > > flexible array member" mode? This is an unfortunate weakening of the array > > bounds checker as there are plenty of structures that have a fixed-size > > array as the final member. > > There is -fsanitize=bounds-strict. This is too strict: it doesn't allow flexible arrays ([]) either. I'd like something that ignores _only_ flexible arrays and fails on all other trailing arrays beyond their size.
