This is the mail archive of the
gcc-prs@gcc.gnu.org
mailing list for the GCC project.
c/410: gcc-2.95.2 generates "buffer overflows"
- To: gcc-gnats at gcc dot gnu dot org
- Subject: c/410: gcc-2.95.2 generates "buffer overflows"
- From: jan dot echternach at informatik dot uni-rostock dot de
- Date: 13 Jul 2000 19:15:19 -0000
- Reply-To: jan dot echternach at informatik dot uni-rostock dot de
- Resent-Cc: gcc-prs at gcc dot gnu dot org
- Resent-Reply-To: gcc-gnats@gcc.gnu.org, jan.echternach@informatik.uni-rostock.de
>Number: 410
>Category: c
>Synopsis: gcc-2.95.2 generates "buffer overflows"
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: unassigned
>State: open
>Class: wrong-code
>Submitter-Id: net
>Arrival-Date: Thu Jul 13 12:16:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Jan Echternach
>Release: gcc version 2.95.2 19991024 (release)
>Organization:
>Environment:
ix86-linux, e.g. unmodified SuSE 6.4
Reading specs from /usr/lib/gcc-lib/i486-suse-linux/2.95.2/specs
>Description:
When gcc generates the code for a specific initialization of
an 'auto' variable, it produces code that overwrites too
much of the stack. For example, the beginning of foo() in
the attached source is compiled to
foo:
pushl %ebp
movl %esp,%ebp
subl $24,%esp
movl $2,-8(%ebp)
movl $0,-4(%ebp)
movl $0,0(%ebp) # <- !!!
The last statement overwrites the old %ebp value, causing
a SIGSEGV when foo() returns and main() tries to access a
local variable. I've noticed that this bug isn't triggered
by bar() which is identical to foo() except for the value
of the initializer.
>How-To-Repeat:
static void foo (void)
{
struct {
long a;
char b[1];
} x = { 2, { 0 } };
}
static void bar (void)
{
struct {
long a;
char b[1];
} x = { 2, { 1 } };
}
int main (void)
{
int tmp;
foo ();
tmp = 1;
return 0;
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: