[clang] [Clang][Sema] Add -Wstringop-overread warning for source buffer overreads (PR #183004)

John Paul Jepko via cfe-commits Wed, 25 Feb 2026 21:49:29 -0800

================
@@ -1372,18 +1428,26 @@ void 
Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
   case Builtin::BI__builtin___memccpy_chk:
   case Builtin::BI__builtin___mempcpy_chk: {
     DiagID = diag::warn_builtin_chk_overflow;
-    SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 2);
+    SourceSize =
+        Checker.ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 2);
     DestinationSize =
-        ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
+        Checker.ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
     IsChkVariant = true;
+
+    if (BuiltinID == Builtin::BI__builtin___memcpy_chk ||
+        BuiltinID == Builtin::BI__builtin___memmove_chk ||
+        BuiltinID == Builtin::BI__builtin___mempcpy_chk) {
+      checkSourceBufferOverread(FD, TheCall, /*SrcArgIdx=*/1, /*SizeArgIdx=*/2,
----------------
jpjepko wrote:


I assume you're asking why I skip the str* functions? It's trickier with 
strings because the size no longer represents 'read **exactly** N bytes' but 
rather 'read **up to** N bytes' because the null terminator will cause it to 
stop reading the source buffer, potentially earlier than the size arg would 
suggest. And a similar argument applies for `memccpy`.

https://github.com/llvm/llvm-project/pull/183004
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [Clang][Sema] Add -Wstringop-overread warning for source buffer overreads (PR #183004)

Reply via email to