This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug libmudflap/29691] New: libmudflap misses buffer overrun in sprintf
- From: "p dot vanhoof at oma dot be" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 2 Nov 2006 18:46:05 -0000
- Subject: [Bug libmudflap/29691] New: libmudflap misses buffer overrun in sprintf
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
The attached program writes to buf[16] using sprintf. The format writes 15
characters and then explicitly appends a \0 byte using %c. Subsequently sprintf
will implicitly append another \0 byte itself so that in total 17 bytes are
written to buf, i.e. 1 byte too many. One can readily check that the first
character of a[4] is indeed overwritten by a \0 byte. libmudflap misses this
buffer overrun:
> gcc -fmudflap test8.i -lmudflap
> a.out
> gcc -v
Using built-in specs.
Target: x86_64-unknown-linux-gnu
Configured with: /dump1/root/temp/gcc/configure --prefix=/usr/local/gcc430
--enable-languages=c,c++,fortran
Thread model: posix
gcc version 4.3.0 20061030 (experimental)
If the character written with the %c format specifier would have been anything
other than \0, the buffer overrun would have been caught by libmudflap. This
bug is present with the following gcc versions: 4.0.3, 4.1.1, 4.2.0
(20061030), and the mainline as listed above. This applies to both AMD64 and
IA32 platforms.
--
Summary: libmudflap misses buffer overrun in sprintf
Product: gcc
Version: 4.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libmudflap
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: p dot vanhoof at oma dot be
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29691