Closed
Description
Using -fsanitize=pointer-overflow
doesn't appear to provide any checking on pointer math. GCC's implementation correctly triggers if NULL
is operated on or if a value would wrap around.
https://godbolt.org/z/1c6ec9TTP
#include <stdlib.h>
#include <stdio.h>
/* Using stderr for all output or else godbolt doesn't intermix output. */
int main(int argc, char *argv[]) {
void *p = NULL;
fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);
/* argc is a stand-in for "1" to avoid optimization */
p -= argc;
fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);
p += argc;
fprintf(stderr, "%p (%zu)\n", p, (unsigned long)p);
return 0;
}
Clang just shows the value wrapping:
(nil) (0)
0xffffffffffffffff (18446744073709551615)
(nil) (0)
But GCC will catch it:
(nil) (0)
/app/example.c:11:7: runtime error: applying non-zero offset 18446744073709551615 to null pointer
0xffffffffffffffff (18446744073709551615)
/app/example.c:15:7: runtime error: applying non-zero offset to non-null pointer 0xffffffffffffffff produced null pointer
(nil) (0)