-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSan may incorrectly report buffer overflow due to undefined behavior #51
Comments
kcwu
changed the title
ASan may incorrectly report buffer overflow due to undefined behavior
MSan may incorrectly report buffer overflow due to undefined behavior
Dec 10, 2016
Ah, should be MSan, not ASan. I modified the text of description. I will add concrete case later. |
rkta
added a commit
to rkta/w3m
that referenced
this issue
Sep 1, 2021
Compiling with GCC 10.2 with -fsanitize=address,undefined valgrind reports: table.c:1632:8: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1266:11: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1267:12: runtime error: variable length array bound evaluates to non-positive value 0 'maxcell' is initialized to -1 which results in a size of 0 during the first iteration. Though the array is only accessed if maxcell >= 0, using a variable length array with a size < 1 is undefined behaviour (see e.g. C99 6.7.5.2,p5). This closes issue tats#51 .
rkta
added a commit
to rkta/w3m
that referenced
this issue
Sep 2, 2021
Compiling with GCC 10.2 with -fsanitize=address,undefined valgrind and opening the 'opions panel' reports: table.c:1632:8: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1266:11: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1267:12: runtime error: variable length array bound evaluates to non-positive value 0 'maxcell' is initialized to -1 which results in a size of 0 during the first iteration. Though the array is only accessed if maxcell >= 0, using a variable length array with a size < 1 is undefined behaviour (see e.g. C99 6.7.5.2,p5). This closes issue tats#51 .
Fixed with #192 |
bptato
pushed a commit
to bptato/w3m
that referenced
this issue
Jul 29, 2023
Compiling with GCC 10.2 with -fsanitize=address,undefined valgrind and opening the 'opions panel' reports: table.c:1632:8: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1266:11: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1267:12: runtime error: variable length array bound evaluates to non-positive value 0 'maxcell' is initialized to -1 which results in a size of 0 during the first iteration. Though the array is only accessed if maxcell >= 0, using a variable length array with a size < 1 is undefined behaviour (see e.g. C99 6.7.5.2,p5). This closes issue tats#51 .
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I cannot recall the exact case confusing MSan. Something like this:
MSan may report buffer overflow when access
bar
.Build w3m with clang -fsanitize=undefined
case1
case2
I don't know they are security related or not. But since MSan may be confused. I think they are worth to fix.
This is found by afl-fuzz.
The text was updated successfully, but these errors were encountered: