https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82645
Bug ID: 82645
Summary: missing -Wstringop-overflow on strcpy overflowing a
member array
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
GCC fails to issue -Wstringop-overflow for the buffer overflow in the following
test case unless it's compiled with -D_FORTIFY_SOURCE=2. The root cause is
that compute_builtin_object_size() fails. Ironically, removing the call to
sink (p->a) causes the warning to appear even without -D_FORTIFY_SOURCE=2.
As an aside, the byte count in the warning issued by GCC 8 (but not 7) with
-D_FORTIFY_SOURCE=2 is off by 1. The correct range (between 7 and INT_MAX) is
shown in the warning without the sink() call:
writing between 7 and 2147483647 bytes into a region of size 5 overflows
the destination
$ (set -x && cat y.c && gcc -O2 -Wall y.c && gcc -D_FORTIFY_SOURCE=2 -O2 -Wall
y.c)
+ cat y.c
#include <string.h>
struct S { char a[5]; void (*pf)(void); };
void __attribute__ ((weak))
sink (const char *s)
{
__builtin_printf ("%.7s\n", s);
}
void __attribute__ ((weak))
g (struct S *p, int n)
{
if (n < 7) n = 7;
strncpy (p->a, "123456", n); // missing -Wstringop-overflow without
-D_FORTIFY_SOURCE
sink (p->a); // removing this call triggers the warning
}
int main (void)
{
struct S s = { };
g (&s, 7);
}
+ gcc -O2 -Wall y.c
+ gcc -D_FORTIFY_SOURCE=2 -O2 -Wall y.c
In file included from /usr/include/string.h:635:0,
from y.c:1:
In function ‘strncpy’,
inlined from ‘g’ at y.c:16:3:
/usr/include/bits/string3.h:126:10: warning: ‘__builtin___strncpy_chk’ writing
6 bytes into a region of size 5 overflows the destination
[-Wstringop-overflow=]
return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
