https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95177
Martin Sebor <msebor at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |msebor at gcc dot gnu.org --- Comment #5 from Martin Sebor <msebor at gcc dot gnu.org> --- Calling toupper() or any other character classification function declared in <ctype.h> with a negative value other than EOF is undefined. When char is a signed type, using any value outside the 7-bit ASCII set runs the risk of accessing the char classification array, commonly used to implement the functions, outside its bounds due to sign extension. The Stack Overflow post describes the technique in the abstract. An example of a real implementation is Glibc (see for instance its __isctype macro in <ctype.h>). Glibc uses casts or other conversions from char to a signed type before using the character value which suppresses GCC's -Wchar-subscripts, but the problem still exists. To avoid the out-of-bounds access the argument to these functions should be cast to unsigned char first. This is described in some detail in the CERT C Secure Coding Standard rule STR37-C. Arguments to character-handling functions must be representable as an unsigned char: https://wiki.sei.cmu.edu/confluence/x/BNcxBQ.