https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98553
Bug ID: 98553
Summary: missing warning on strncmp reading past the end of a
zero size member array
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
GCC diagnoses the out-of-bounds reads by strcmp in fx and f0 but fails to
diagnose the corresponding out-of-bounds reads by strncmp in gx and g0. In all
four functions the size of the character array is zero and so each call to the
string function starts reading past its end, and so past the end of the
enclosing object.
$ cat b.c && gcc -O2 -S -Wall -Wextra b.c
extern int strcmp (const char*, const char*);
void init (void*);
int fx (void)
{
struct { char n, a[]; } a;
init (&a);
return 0 == strcmp (a.a, "123"); // -Wstringop-overread (good)
}
int f0 (void)
{
struct { char n, a[0]; } a;
init (&a);
return 0 == strcmp (a.a, "123"); // -Wstringop-overread (good)
}
extern int strncmp (const char*, const char*, __SIZE_TYPE__);
int gx (void)
{
struct { char n, a[]; } a;
init (&a);
return 0 == strncmp (a.a, "123", 3); // missing -Wstringop-overread
}
int g0 (void)
{
struct { char n, a[0]; } a;
init (&a);
return 0 == strncmp (a.a, "123", 3); // missing -Wstringop-overread
}
b.c: In function ‘fx’:
b.c:9:15: warning: ‘strcmp’ reading 1 or more bytes from a region of size 0
[-Wstringop-overread]
9 | return 0 == strcmp (a.a, "123"); // -Wstringop-overread (good)
| ^~~~~~~~~~~~~~~~~~~
b.c:7:20: note: source object ‘a’ of size 0
7 | struct { char n, a[]; } a;
| ^
b.c: In function ‘f0’:
b.c:16:15: warning: ‘strcmp’ reading 1 or more bytes from a region of size 0
[-Wstringop-overread]
16 | return 0 == strcmp (a.a, "123"); // -Wstringop-overread (good)
| ^~~~~~~~~~~~~~~~~~~
b.c:14:20: note: source object ‘a’ of size 0
14 | struct { char n, a[0]; } a;
| ^
