Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 08 Nov 2019 20:20:55 +0100
From: Florian Weimer <>
To: Russ Allbery <>
Cc: Georgi Guninski <>,
Subject: Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)|

* Russ Allbery:

> The C standard says this shouldn't be the default, but software that cares
> about avoiding undefined behavior should consider adding -fwrapv, or
> carefully writing the check to avoid overflow (something that, sadly, one
> needs to become expert in to use C relatively safely).

The C standard doesn't *require* a particular behavior (for non-atomic
integers).  Each time this comes up in the committees, more strict
requirements do not make it into the text.  For example, the recent
P0907R4 for C++, “Signed Integers are Two’s Complement”
does not require it, either:

| /Status-quo/ If a signed operation would naturally produce a value
| that is not within the range of the result type, the behavior is
| undefined.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.