This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug tree-optimization/86349] New: diagnose string overflow for allocations of non-constant sizes
- From: "msebor at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Thu, 28 Jun 2018 16:31:42 +0000
- Subject: [Bug tree-optimization/86349] New: diagnose string overflow for allocations of non-constant sizes
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86349
Bug ID: 86349
Summary: diagnose string overflow for allocations of
non-constant sizes
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
Even though the lengths of the strings in the test case below are unknown it is
possible to determine that the strcpy() call overflows the destination because
it writes one more byte into the region than have been allocated for it. This
type of an error can be detected in the strlen() pass by looking at the size of
the destination of a call like strcpy or memcpy and comparing it to the length
of the source string. Even if neither is constant, if the length of the source
is greater than the size of the destination (or very likely greater, ignoring
unsigned integer wrapping), diagnosing it would catch the error.
$ cat c.c && gcc -O2 -S -Wall -fdump-tree-strlen=/dev/stdout c.c
char* f (const char *s)
{
__SIZE_TYPE__ n = __builtin_strlen (s);
char *p = __builtin_malloc (n);
__builtin_strcpy (p, s);
return p;
}
;; Function f (f, funcdef_no=0, decl_uid=1898, cgraph_uid=1, symbol_order=0)
f (const char * s)
{
char * p;
long unsigned int n;
long unsigned int _8;
<bb 2> [local count: 1073741825]:
n_3 = __builtin_strlen (s_2(D));
p_5 = __builtin_malloc (n_3);
_8 = n_3 + 1;
__builtin_memcpy (p_5, s_2(D), _8);
return p_5;
}