commit 26008e07dea3ca4e4ee1f7634923059ea7f17f7a
author Chris Lattner <sabre@nondot.org> Tue Jul 20 20:19:24 2010 +0000
committer Chris Lattner <sabre@nondot.org> Tue Jul 20 20:19:24 2010 +0000
tree 8c49fce66759baecc9e1497120a425d04adc8af6
parent 47a0f0d56f7a229bf2646c7b69fbe1ed43b87715

implement rdar://5739832 - operator new should check for overflow in multiply,
causing clang to compile this code into something that correctly throws a
length error, fixing a potential integer overflow security attack:

void *test(long N) {
  return new int[N];
}

int main() {
  test(1L << 62);
}

We do this even when exceptions are disabled, because it is better for the
code to abort than for the attack to succeed.

This is heavily based on a patch that Fariborz wrote.

llvm-svn: 108915

clang/lib/CodeGen/CodeGenFunction.h

diff --git a/clang/lib/CodeGen/CodeGenFunction.h b/clang/lib/CodeGen/CodeGenFunction.h
index 778604b..1a117ca 100644
--- a/clang/lib/CodeGen/CodeGenFunction.h
+++ b/clang/lib/CodeGen/CodeGenFunction.h
@@ -656,7 +656,7 @@
 
   llvm::BasicBlock *TerminateLandingPad;
   llvm::BasicBlock *TerminateHandler;
-  llvm::BasicBlock *TrapBB;
+  llvm::BasicBlock *TrapBB, *ThrowLengthErrorBB;
 
 public:
   CodeGenFunction(CodeGenModule &cgm);
@@ -1542,7 +1542,11 @@
 
   /// getTrapBB - Create a basic block that will call the trap intrinsic.  We'll
   /// generate a branch around the created basic block as necessary.
-  llvm::BasicBlock* getTrapBB();
+  llvm::BasicBlock *getTrapBB();
+  
+  /// getThrowLengthErrorBB - Create a basic block that will call
+  /// std::__throw_length_error to throw a std::length_error exception.
+  llvm::BasicBlock *getThrowLengthErrorBB();
   
   /// EmitCallArg - Emit a single call argument.
   RValue EmitCallArg(const Expr *E, QualType ArgType);