[pcre-dev] [Bug 2037] New: A GCC 7 warning about possible buffer overflow in pcregrep when formatting an error message

Tue, 14 Feb 2017 08:34:03 -0800 

https://bugs.exim.org/show_bug.cgi?id=2037

            Bug ID: 2037
           Summary: A GCC 7 warning about possible buffer overflow in
                    pcregrep when formatting an error message
           Product: PCRE
           Version: 8.40
          Hardware: x86
               URL: https://kojipkgs.fedoraproject.org//packages/pcre/8.40
                    /1.fc26.2/data/logs/x86_64/build.log
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: p...@hermes.cam.ac.uk
          Reporter: ppi...@redhat.com
                CC: pcre-dev@exim.org

Created attachment 974
  --> https://bugs.exim.org/attachment.cgi?id=974&action=edit
Proposed fix

GCC 7 has new class of warnings that checks if a buffer supplied to sprintf()
is large enough for formatting any arguments
<https://gcc.gnu.org/gcc-7/changes.html>. It cough this issue in pcre-8.40:

pcregrep.c: In function 'main':
pcregrep.c:3183:68: warning: '%d' directive writing between 1 and 10 bytes into
a region of size 8 [-Wformat-overflow=]
     if (patterns->next == NULL) s[0] = 0; else sprintf(s, " number %d", j);
                                                                    ^~
pcregrep.c:3183:59: note: directive argument in the range [1, 2147483647]
     if (patterns->next == NULL) s[0] = 0; else sprintf(s, " number %d", j);
                                                           ^~~~~~~~~~~~
In file included from /usr/include/stdio.h:939:0,
                 from pcregrep.c:52:
/usr/include/bits/stdio2.h:33:10: note: '__builtin___sprintf_chk' output
between 10 and 19 bytes into a destination of size 16
   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       __bos (__s), __fmt, __va_arg_pack ());
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Indeed the `s' array has only 16 bytes and with the maximal value of `j', one
needs 19 bytes.

There are multiple ways how to fix it. Either one can allocate big enough
buffer (but this is not portable as some platforms can have larger ints), or
one can cast the `j' argument to shorter type if knows what what range of
values it will posses, or, as I chose, get rid of the offending sprintf() call.

See the attached patch.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

Reply via email to