On 2/7/14, Ted Unangst <t...@tedunangst.com> wrote:
> On Sat, Feb 08, 2014 at 01:32, Christian Weisgerber wrote:
>> Back in January, there was this commit to gcc:
>>
>> Enable Wbounded by default. Passing bound bigger than the buffer
>> size almost always has security implications.
>
> Very interesting set of errors. Just based on a quick read through the
> log file:
>
>> ./audio/rioutil.log:rio.c:650: warning: array size (16) smaller than
>> bound
>> length (17)
>
> There's some like this that look like obvious off by ones.
>
>> ./audio/pms.log:src/libmpdclient.c:396: warning: array size (1001)
>> smaller
>> than bound length (50000)
>
> There's some like this where you wonder how the two lengths could
> possibly be related.
>
>> ./audio/festival/core.log:EST_Chunk.cc:336: warning: array size (1)
>> smaller than bound length (20)
>
> There's a lot of size 1 warnings, which I'd guess are uses of the
> struct hack and probably lower priority.
you don't like those?
>> ./audio/soundtracker.log:gui.c:1609: warning: non-positive bounds length
>> (-1) detected
>
> WTF?
my guess: pointer into some buffer, and doing a look-back
for last character in said buffer.
char *p = somebuf;
for (...) {
if (*p == 'r' && p[-1] == '\\')
printf("or something like that...\n");
}
meh,
--patrick
>> ./audio/audacious-plugins.log:Gb_Apu.cxx:126: warning: array size (16)
>> smaller than bound length (32)
>> ./audio/milkytracker.log:ExporterXM.cpp:70: warning: array size (256)
>> smaller than bound length (1024)
>
> And there's quite a few that are off by a multiple of two or four.
