glibc does not compile at -O0 and -fstrict-overflow is enabled starting at -O1, meaning that -fstrict-overflow is always enabled. As a result, this code from libio/iogetdelim.c is wrong as gcc is free to optimize it out in case of overflow: if (__builtin_expect (cur_len + len + 1 < 0, 0)) { __set_errno (EOVERFLOW); result = -1; goto unlock_return; }
Ping. This bug seems valid and has not been fixed. The fix is easy; change the condition to (len >= SSIZE_MAX - cur_len)
Wrong, gcc cannot and does not optimize the code away. If it does it's a compiler problem.
If it is testing whether cur_len + len + 1 overflowed from positive into negative, then it is undefined behavior, because all the additions are performed in signed _IO_ssize_t.
(In reply to comment #3) > If it is testing whether cur_len + len + 1 overflowed from positive into > negative, then it is undefined behavior, because all the additions are > performed in signed _IO_ssize_t. The compiler cannot know that the variables are not negative. Therefore the test has to be emitted.
Whether gcc optimizes this away probably depends on the compiler version and options. I would have to read the code in greater detail to claim that this is definitely the case, but it's likely that it's provable that cur_len and len are always non-negative. Even if not, the code is invoking undefined behavior, so there are other reasons the test could fail to work as expected. I already submitted a fix; please apply or write your own better fix if you prefer.
Stop wasting people's time, there is nothing wrong.
(In reply to comment #4) > The compiler cannot know that the variables are not negative. Therefore the > test has to be emitted. If a human can know the fact that these variables are not negative, then a smart compiler also can deduce this fact.
I think it's going to take someone finding a version of gcc that can make the optimization, and then publishing an attack that results in memory corruption and possibly privilege elevation, to break through the brick wall known as Drepper's ego and get this bug fixed...
FWIW I think we should fix signed integer overflows found in the code even if we do not have any case where they cause problems in practice.
Ping. Has this been fixed?
From source inspection it appears this issue is still present, and as per my previous comment I think we should fix it.
Fixed for 2.17 by: commit 60160d83a09c659d8d9338b210ff92be77cc87d5 Author: Joseph Myers <joseph@codesourcery.com> Date: Tue Sep 4 11:24:43 2012 +0000 Fix iogetdelim.c (latent) integer overflow (bug 9914).