https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77799
Bug ID: 77799
Summary: missing -Wformat-length warning on a trivial sprintf
overflow with no directives
Product: gcc
Version: 7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
Similar to bug 77671, GCC warns for a call to sprintf with a format string
containing no format directives that writes past the end of the destination if
the call contains redundant (unused) arguments but fails to issue the same
warning when there are no arguments. The underlying reason is the same as in
bug 77671: GCC transforms the call with no redundant arguments to one to memcpy
before the warning pass has a chance to see it.
$ cat zzz.c && /build/gcc-trunk-git/gcc/xgcc -B /build/gcc-trunk-git/gcc -O2 -S
-Wformat-length -fdump-tree-optimized=/dev/stdout zzz.c
char d [2];
extern int sprintf (char*, const char*, ...);
void f (void)
{
sprintf (d, "123");
}
void g (void)
{
sprintf (d, "123", 0);
}
;; Function f (f, funcdef_no=0, decl_uid=1795, cgraph_uid=0, symbol_order=1)
f ()
{
<bb 2>:
__builtin_memcpy (&d, "123", 4); [tail call]
return;
}
zzz.c: In function āgā:
zzz.c:12:18: warning: writing format character ā3ā at offset 2 past the end of
the destination [-Wformat-length=]
sprintf (d, "123", 0);
^
zzz.c:12:3: note: format output 4 bytes into a destination of size 2
sprintf (d, "123", 0);
^~~~~~~~~~~~~~~~~~~~~
;; Function g (g, funcdef_no=1, decl_uid=1798, cgraph_uid=1, symbol_order=2)
g ()
{
<bb 2>:
sprintf (&d, "123", 0); [tail call]
return;
}
