It sounds like checking overflow by seeing if the addition of two positive values is negative is undefined behavior, and a sufficiently smart compiler is then allowed to remove the check. It sounds like newer versions of GCC can do this sometimes, though I'm not sure if they do it in this particular case. This was reported to me on Twitter: https://twitter.com/spun_off/status/730281375828480001 Anyways, we should probably use CheckedInt instead.
Seems like it's not an issue yet: > yes apparently the only reason expat compiled with GCC is safe is that GCC doesn't infer yet that bufferSize is positive before loop
See also bug 1031653 (not an actual See Also because those are public, although this one was discussed in public so that may not matter).