Bug 45669 - strcpy_chk false positive
Summary: strcpy_chk false positive
Status: RESOLVED INVALID
Alias: None
Product: gcc
Classification: Unclassified
Component: c (show other bugs)
Version: 4.5.1
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-14 16:54 UTC by Evan Teran
Modified: 2010-09-14 17:09 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Evan Teran 2010-09-14 16:54:37 UTC 
Some constructs cause gcc to warn as always causing a buffer overflow incorrectly. For example, this is a minimalistic version of a warning found in wine-1.3.2:

----------
#include <string.h>
#include <stdlib.h>
#include <stdint.h>

struct T {
	union {
		struct {
			char str[1];
		} x;
	} u;
};

int main() {
	struct T *p = malloc(sizeof(char) * 100);
	strcpy(p->u.x.str, "ABCD");
	return 0;
}
----------

This is a slightly obfuscated version of the struct hack and is clearly not a buffer overflow. Yet compiling with: "gcc -O2 test.c -o test" results in:



In file included from /usr/include/string.h:640:0,
                 from test.c:2:
In function 'strcpy',
    inlined from 'main' at test.c:16:8:
/usr/include/bits/string3.h:107:3: warning: call to __builtin___strcpy_chk will always overflow destination buffer
Comment 1 Jakub Jelinek 2010-09-14 17:09:05 UTC 
This is intentional, considering this as a flexible array member is already way too over what should be allowed.
Either use a true flexible array member, or use memcpy instead (which isn't limited to field boundaries, only to object boundaries).