https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83430
Bug ID: 83430 Summary: buffer overflow diagnostics for snprintf is broken Product: gcc Version: 8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: bugzi...@poradnik-webmastera.com Target Milestone: --- [code] #include <stdio.h> struct S { char str[20]; char out[15]; }; void test(S* s) { snprintf(s->out, sizeof(s->str), "[%s]", s->str); } [/code] [out] $ g++ -c -o test.o test.cc -O2 -Wall test.cc: In function ‘void test(S*)’: test.cc:9:6: warning: ‘]’ directive output may be truncated writing 1 byte into a region of size between 0 and 19 [-Wformat-truncation=] void test(S* s) ^~~~ test.cc:11:13: note: ‘snprintf’ output between 3 and 22 bytes into a destination of size 20 snprintf(s->out, sizeof(s->str), "[%s]", s->str); ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [/out] There are two problems there: - snprintf does not detect that actual size of out is 15 bytes, not 20; - code passes size of one of input arguments which will be part of output string instead of output buffer size. Output for compilation with -D_FORTIFY_SOURCE=2 has the same problems. g++ --version g++ (GCC) 8.0.0 20171210 (experimental)