[PATCH] D41423: [Lex] Avoid out-of-bounds dereference in LexAngledStringLiteral.
Richard Smith - zygoloid via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Wed Jan 10 18:50:21 PST 2018
rsmith added a comment.
In https://reviews.llvm.org/D41423#968587, @vsapsai wrote:
> OSS-Fuzz classifies the bug as medium severity security issue
Well, you should probably fix it to not do that. Any sane threat model involving a C++ compiler should assume that if you can feed the compiler arbitrary input, you can get it to execute arbitrary code, and that that's a feature, not a bug. (For example, our constant expression evaluator can already run arbitrary code as required by the language specification; there happen to be no IO operations that it can perform yet, but it's only a matter of time until enough are required that the program can fully escape the bounds of the compiler as part of the compilation process.) As such, fuzzer bugs that are not representative of patterns found in real programs are likely to be prioritized below bugs that users might more commonly run into, rather than being given special "security bug" treatment.
https://reviews.llvm.org/D41423
More information about the cfe-commits
mailing list