Re: security-related gcc bug

Michael Ströder writes:

[Bug c/27180] New: pointer arithmetic overflow handling broken http://gcc.gnu.org/ml/gcc-bugs/2006-04/msg01297.html

That code, "(char *)buf + (unsigned long)-1", yields undefined behavior if buf points at an object smaller than (unsigned long)-1 bytes. Pointer arithmetic is only valid within a single object.

However the bug it is marked as a dup of, miscompiles valid code: int *start /* size 100 */, *tmp; ... for (tmp = start + 100; tmp > start; --tmp); OpenLDAP has code which scans a struct berval backwards from bv_val+bv_len to bv_val.