>>>>> Robert C Seacord writes: Robert> I believe the vulnerability is that gcc may *silently* Robert> discard the overflow checks and that this is a recent change in behavior.
Robert> You are also right that the popularity of gcc is one of the reasons we Robert> decided to publish on this. If you identify other compilers that a) are Robert> relatively popular, b) have changed their behavior recently, and c) Robert> silently optimize out overflow checks we will consider publishing Robert> vulnerability notes for those compilers as well. All optimizing compilers silently should remove the check in the process of optimizating the example code. Compilers generally do not warn by default when processing code in a way that conforms to a language standard. I believe that GCC developers are disappointed that CERT has chosen to single out GCC using the above set of criteria while most other compilers perform the same transformation. If CERT wants to warn about poorly-written code, it should focus on that vulnerability. David