On 2/7/14, Ted Unangst <t...@tedunangst.com> wrote: > On Sat, Feb 08, 2014 at 01:32, Christian Weisgerber wrote: >> Back in January, there was this commit to gcc: >> >> Enable Wbounded by default. Passing bound bigger than the buffer >> size almost always has security implications. > > Very interesting set of errors. Just based on a quick read through the > log file: > >> ./audio/rioutil.log:rio.c:650: warning: array size (16) smaller than >> bound >> length (17) > > There's some like this that look like obvious off by ones. > >> ./audio/pms.log:src/libmpdclient.c:396: warning: array size (1001) >> smaller >> than bound length (50000) > > There's some like this where you wonder how the two lengths could > possibly be related. > >> ./audio/festival/core.log:EST_Chunk.cc:336: warning: array size (1) >> smaller than bound length (20) > > There's a lot of size 1 warnings, which I'd guess are uses of the > struct hack and probably lower priority.
you don't like those? >> ./audio/soundtracker.log:gui.c:1609: warning: non-positive bounds length >> (-1) detected > > WTF? my guess: pointer into some buffer, and doing a look-back for last character in said buffer. char *p = somebuf; for (...) { if (*p == 'r' && p[-1] == '\\') printf("or something like that...\n"); } meh, --patrick >> ./audio/audacious-plugins.log:Gb_Apu.cxx:126: warning: array size (16) >> smaller than bound length (32) >> ./audio/milkytracker.log:ExporterXM.cpp:70: warning: array size (256) >> smaller than bound length (1024) > > And there's quite a few that are off by a multiple of two or four.