Catching pointer overflow bugs
Mon 11/18/13
18:05
in
technical
In all varieties of C/C++, pointer arithmetic is undefined if it overflows. That is to say the following example:
void invalid(char *p) {
char *q = p + 1;
printf("%p\n", p - (uintptr_t)q);
}
invokes undefined behavior as it causes the pointer value to
wraparound to the equivalent of -sizeof(char)
, which is
0xffffffffffffffff
on my 64bit system.
Unlike integer overflows which can be dangerous or benign regardless of intention (ICSE12), pointer overflows are very unlikely to be intentional and may be the source of a more serious bug resulting in incorrect behavior or program crashing.