https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93518
Bug ID: 93518 Summary: missing warning on a possible overflow by sprintf %s with an allocated argument Product: gcc Version: 10.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: middle-end Assignee: unassigned at gcc dot gnu.org Reporter: msebor at gcc dot gnu.org Target Milestone: --- In the test case below only the sprintf call in first function is diagnosed for the potential overflow, not the second. They both should be. The problem is that the get_range_strlen_dynamic() function doesn't detect the size of the allocated object. $ cat a.c && gcc -O2 -S -Wall -Wextra a.c char a5[5], a7[7]; void f (void*); int g (void) { f (a7); return __builtin_sprintf (a5, "%s", a7); // warning (good) } int h (void) { char *p7 = __builtin_malloc (7); f (p7); return __builtin_sprintf (a5, "%s", p7); // missing warning } a.c: In function ‘g’: a.c:9:34: warning: ‘%s’ directive writing up to 6 bytes into a region of size 5 [-Wformat-overflow=] 9 | return __builtin_sprintf (a5, "%s", a7); // warning (good) | ^~ ~~ a.c:9:10: note: ‘__builtin_sprintf’ output between 1 and 7 bytes into a destination of size 5 9 | return __builtin_sprintf (a5, "%s", a7); // warning (good) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~