Bug 78760

Summary: strcpy buffer overflow not diagnosed with -Wstringop-overflow
Product: gcc Reporter: Martin Sebor <msebor>
Component: middle-endAssignee: Not yet assigned to anyone <unassigned>
Status: NEW ---    
Severity: normal CC: dimhen, dmalcolm, dodji, egallager
Priority: P3 Keywords: diagnostic
Version: 7.0   
Target Milestone: ---   
Host: Target:
Build: Known to work:
Known to fail: Last reconfirmed: 2017-08-28 00:00:00
Bug Depends on:    
Bug Blocks: 88443    

Description Martin Sebor 2016-12-10 00:30:00 UTC
With the new -Wstringop-overflow option GCC diagnoses the more involved buffer overflow in function foo() but misses the more straightforward case of the same overflow in bar().  This because the second call to __builtin_strcpy is transformed into __builtin_memcpy by one of the optimization passes, apparently without regard to the possibility of overflow.

$ cat x.C && gcc -O2 -S -Wstringop-overflow=2 x.C
struct S {
  char a[3];
  void (*pf)(void);
};

void foo (struct S *s, int i)
{
  const char *str = i ? "1234578" : "87654321";
  __builtin_strcpy (s->a, str);
}

void bar (struct S *s, int i)
{
  const char *str = "1234578";
  __builtin_strcpy (s->a, str);   // missing -Wstringop-overflow
}


x.C: In function ‘void foo(S*, int)’:
x.C:9:31: warning: ‘char* __builtin_strcpy(char*, const char*)’ writing 8 bytes into a region of size 3 overflows the destination [-Wstringop-overflow=]
   __builtin_strcpy (s->a, str);
                               ^
Comment 1 Eric Gallager 2017-08-28 16:53:38 UTC
Confirmed.
Comment 2 Eric Gallager 2018-11-03 02:50:47 UTC
cc-ing diagnostics maintainers