Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Nov 2019 09:02:02 -0800
From: Russ Allbery <>
To: Georgi Guninski <>
Subject: Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)|

Georgi Guninski <> writes:

> Any workarounds?

> ===poc===
> #include <assert.h>

> int foo(int a) {
>   assert(a+100 > a);
>   printf("%d %d\n",a+100,a);
>   return a;
> }

> int main() {
>   foo(100);
>   foo(0x7fffffff);
> }
> =========

As pointed out in the bug, if you want defined behavior from signed
integer overflow, you can ask for it with -fwrapv:

$ gcc -O3 -fwrapv -o foo foo.c
$ ./foo
200 100
foo: foo.c:5: foo: Assertion `a+100 > a' failed.
Aborted (core dumped)

The C standard says this shouldn't be the default, but software that cares
about avoiding undefined behavior should consider adding -fwrapv, or
carefully writing the check to avoid overflow (something that, sadly, one
needs to become expert in to use C relatively safely).

Or, of course, use a different language that has more safety checks built
into the language definition, although that's obviously a much broader
(and probably off-topic) conversation.

Russ Allbery (             <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.