On 09/03/2014 05:20 PM, Joseph S. Myers wrote:
On Wed, 3 Sep 2014, Florian Weimer wrote:
On 09/02/2014 11:22 PM, James Nelson wrote:
This is error-prone because even though a size parameter is given, the code
in the function has no requirement to enforce it. With a bounded array
type, the prototype looks like this:
buf *foo(char buf[sz], size_t sz);
GCC already has a syntax extension to support this:
<https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html>
But the size declared in a parameter declaration has no semantic
significance; there is no requirement that the pointer passed does point
to an array of that size.
I believe this was different with the bounded pointer extension. But I
might misremember how things worked. I've never used it (I think), I
only recall reading some documentation which has now vanished.
If you declare the size as [static sz] then
that means it points to an array of at least that size, but it could be
larger.
GCC does not seem to enforce that. This compiles without errors:
int foo(char [static 5]);
int
bar(char *p)
{
return foo(p);
}
This could be
--
Florian Weimer / Red Hat Product Security
