https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93518
Bug ID: 93518
Summary: missing warning on a possible overflow by sprintf %s
with an allocated argument
Product: gcc
Version: 10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
In the test case below only the sprintf call in first function is diagnosed for
the potential overflow, not the second. They both should be. The problem is
that the get_range_strlen_dynamic() function doesn't detect the size of the
allocated object.
$ cat a.c && gcc -O2 -S -Wall -Wextra a.c
char a5[5], a7[7];
void f (void*);
int g (void)
{
f (a7);
return __builtin_sprintf (a5, "%s", a7); // warning (good)
}
int h (void)
{
char *p7 = __builtin_malloc (7);
f (p7);
return __builtin_sprintf (a5, "%s", p7); // missing warning
}
a.c: In function ‘g’:
a.c:9:34: warning: ‘%s’ directive writing up to 6 bytes into a region of size 5
[-Wformat-overflow=]
9 | return __builtin_sprintf (a5, "%s", a7); // warning (good)
| ^~ ~~
a.c:9:10: note: ‘__builtin_sprintf’ output between 1 and 7 bytes into a
destination of size 5
9 | return __builtin_sprintf (a5, "%s", a7); // warning (good)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
