[cfe-dev] clang feature request: integer overflow check in operator new
Felix von Leitner
felix-llvm at fefe.de
Tue Mar 23 08:17:51 PDT 2010
Dear clang developers,
I have a humble feature request for clang, now that it officially
supports C++: integer overflow check in operator new.
Basically, in code like this:
int* foo=new int[somevalue];
the compiler does an implicit somevalue*sizeof(int) and passes that
value to operator new. If that multiplication overflows, this is a
security vulnerability. The Microsoft solution is to use the overflow
flag on x86 to set the resulting value to (size_t)-1, which will then
make operator new fail. There are caveats to this, obviously, but it is
an important step to make and it cannot be done without compiler help.
Would it be possible to get clang to do something like this in the code
generator?
That would really help the world be a more secure place in the long run,
and maybe it can even help convince g++ to follow suit. Also, I really
like how you place emphasis on good diagnostic messages in clang, and I
will try to come up with suggestions on what to do even better there.
My biggest hope long-term would be to provide a framework for data flow
analysis using the link time optimization framework. Now finally
compilers have enough context to do that kind of analysis, it is a great
opportunity to do some good. I am thinking of some kind of tainting
warning. And it would also be very helpful if clang supported something
like SAL<http://msdn.microsoft.com/en-us/library/ms235402(VS.80).aspx>
Basically anything that allows me to annotate my library so that using
it incorrectly triggers better warnings would be greatly appreciated.
Thanks,
Felix
More information about the cfe-dev
mailing list