Title goes here

placement new constructing an object of type ‘int64_t’ {aka ‘long int’} and size ‘8’ in a region of type ‘int8_t’ {aka ‘signed char’} and size ‘1’ [-Wplacement-new=]

13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		^~

‘s’ declared here

12		int8_t s;
		^

stack-based buffer overflow [CWE-121] [-Wanalyzer-out-of-bounds]

13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		^~~~~~~

void var_too_short()

void var_too_short(): events 1-2

12		int8_t s;
		^
		\|
		(1) capacity: 1 byte
13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		~~~~~~~
		\|
		(2) ⚠️ out-of-bounds write from byte 1 till byte 7 but ‘s’ ends at byte 1

write of 7 bytes to beyond the end of ‘s’

13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		^~~~~~~

allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size]

13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		^~~~~~~

void var_too_short()

void var_too_short(): events 1-2

12		int8_t s;
		^
		\|
		(1) allocated 1 byte hereallocated here
13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		~~~~~~~
		\|
		(2) ⚠️ assigned to ‘int64_t’ {aka ‘long int’} here; ‘sizeof (int64_t {aka long int})’ is ‘8’

allocated buffer size is not a multiple of the pointee's size [CWE-131] [-Wanalyzer-allocation-size]

13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		^~~~~~~

void var_too_short()

void var_too_short(): events 1-3

10		void var_too_short ()
		^~~~~~~~~~~~~
		\|
		(1) entry to ‘var_too_short’
11		{
12		int8_t s;
		~
		\|
		(2) allocated 1 byte hereallocated here
13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		~~~~~~~
		\|
		(3) calling ‘operator new’ from ‘var_too_short’

void* operator new(std::size_t, void*)

void* operator new(std::size_t, void*): event 4

../../src/libstdc++-v3/libsupc++/new:206:7:

206		void* operator new(std::size_t, void* __p)
		^~~~~~~~
		\|
		(4) entry to ‘operator new’

void var_too_short(): event 5

../../src/gcc/testsuite/g++.dg/analyzer/placement-new-size.C:13:26:

13		int64_t lp = new (&s) int64_t; / { dg-warning "stack-based buffer overflow" } */
		^~~~~~~
		\|
		(5) ⚠️ assigned to ‘int64_t’ {aka ‘long int’} here; ‘sizeof (int64_t {aka long int})’ is ‘8’

stack-based buffer overflow [CWE-121] [-Wanalyzer-out-of-bounds]

21		int p = new (buf) int[n + 1]; / { dg-warning "stack-based buffer overflow" } */
		^

void static_buffer_too_short()

void static_buffer_too_short(): events 1-2

20		int buf[n];
		^~~
		\|
		(1) capacity: 64 bytes
21		int p = new (buf) int[n + 1]; / { dg-warning "stack-based buffer overflow" } */
		~
		\|
		(2) following ‘true’ branch... ─>─┐
		│

void static_buffer_too_short(): events 3-4

		│
	┌	────────────────────────────────────────────────────────────────┘
21	│	int p = new (buf) int[n + 1]; / { dg-warning "stack-based buffer overflow" } */
	│	^
	│	\|
	└	─────────────────────────────>(3) ...to here
		(4) ⚠️ out-of-bounds write from byte 64 till byte 67 but region ends at byte 64

write of 4 bytes to beyond the end of the region

21		int p = new (buf) int[n + 1]; / { dg-warning "stack-based buffer overflow" } */
		^

stack-based buffer overflow [CWE-121] [-Wanalyzer-out-of-bounds]

28		char p = new (buf) char[n + 10]; / { dg-warning "stack-based buffer overflow" } */
		^

void symbolic_buffer_too_short()

void symbolic_buffer_too_short(): events 1-2

27		char buf[n];
		^~~
		\|
		(1) capacity: ‘n’ bytes
28		char p = new (buf) char[n + 10]; / { dg-warning "stack-based buffer overflow" } */
		~
		\|
		(2) ⚠️ write at offset ‘0’ exceeds the buffer

heap-based buffer overflow [CWE-122] [-Wanalyzer-out-of-bounds]

36		int32_t i = ::new (p + 1) int32_t; / { dg-warning "heap-based buffer overflow" } */
		^~~~~~~

void test_binop()

void test_binop(): events 1-4

33		char p = (char ) malloc (4);
		~~~~~~~^~~
		\|
		(1) capacity: 4 bytes
34		if (!p)
		~~
		\|
		(2) following ‘false’ branch (when ‘p’ is non-NULL)... ─>─┐
		│
		│
	┌	────────────────────────────────────────────────────────────┘
35	│	return;
36	│	int32_t i = ::new (p + 1) int32_t; / { dg-warning "heap-based buffer overflow" } */
	│	~~~~~~~
	│	\|
	└	────────────────────────────>(3) ...to here
		(4) ⚠️ out-of-bounds write at byte 4 but region ends at byte 4

write of 1 byte to beyond the end of the region

36		int32_t i = ::new (p + 1) int32_t; / { dg-warning "heap-based buffer overflow" } */
		^~~~~~~

heap-based buffer overflow [CWE-122] [-Wanalyzer-out-of-bounds]

37		i = 42; / { dg-warning "heap-based buffer overflow" } */
		~~~^~~~

void test_binop()

void test_binop(): events 1-4

33		char p = (char ) malloc (4);
		~~~~~~~^~~
		\|
		(1) capacity: 4 bytes
34		if (!p)
		~~
		\|
		(2) following ‘false’ branch (when ‘p’ is non-NULL)... ─>─┐
		│
		│
	┌	────────────────────────────────────────────────────────────┘
35	│	return;
36	│	int32_t i = ::new (p + 1) int32_t; / { dg-warning "heap-based buffer overflow" } */
	│	~~~~~~~
	│	\|
	└	────────────────────────────>(3) ...to here
37		i = 42; / { dg-warning "heap-based buffer overflow" } */
		~~~~~~~
		\|
		(4) ⚠️ out-of-bounds write at byte 4 but region ends at byte 4

write of 1 byte to beyond the end of the region

37		i = 42; / { dg-warning "heap-based buffer overflow" } */
		~~~^~~~