In Commit: author Noah Goldstein <goldstein.w.n@gmail.com> Thu, 20 May 2021 17:13:51 +0000 (13:13 -0400) commit 6abf27980a947f9b6e514d6b33b83059d39566ae The loop bound calculation was changed to essentially the following pseudo code: void * end = dst + length; while(dst < end) { // Copy Bytes } This can potentially be an issue as if length + dst overflows end will be less than dst and the loop will exit on the first iteration. So for example under certain conditions memset(ptr, c, SIZE_MAX) would not throw a Segmentation Fault An example can be found here: https://godbolt.org/z/K1hE5cKvf Some things worth noting. 1) This bug is also present in nearly all wcsmbs string/memory function implementations on x86_64 because they almost always execute `salq $2, %rdx` to adjust length which would cause overflow if the input is above 2 ^ ((sizeof(size_t) - 2). 2) This bug only affects CPUs without ERMS as any value that will cause overflow is also surely greater than __x86_rep_stosb_threshold.
This is not a bug. Passing a length that would cause overflow is undefined behavior. https://marc.info/?l=glibc-alpha&m=162308797213313&w=2