User account creation filtered due to spam.

Bug 42582 - fortify with optimisation above -O0 cause abort in realpath()
Summary: fortify with optimisation above -O0 cause abort in realpath()
Alias: None
Product: gcc
Classification: Unclassified
Component: middle-end (show other bugs)
Version: 4.4.2
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2010-01-02 19:59 UTC by Peter
Modified: 2010-01-03 11:38 UTC (History)
1 user (show)

See Also:
Known to work:
Known to fail:
Last reconfirmed:


Note You need to log in before you can comment on or make changes to this bug.
Description Peter 2010-01-02 19:59:16 UTC
realpath() built with >=gcc-4.3 (where FORTIFY is enabled by default) and -Ox
where x>0 cause application to abort.

Test case: the following code built with gcc -O2:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

main (int argc, char *argv[])
    int ret;
    char device_file_or_mount_point[1024];

    if (argc < 2 || strlen (argv[1]) == 0) {
        fprintf (stderr, "%s: pass relative path.\n", argv[0]);
        return 1;

    realpath(argv[1], device_file_or_mount_point);

    return 0;


 $ ./a.out /boot/
*** buffer overflow detected ***: ./a.out terminated
======= Backtrace: =========
======= Memory map: ========

I found this bug with umount.hal helper which started to fail here after this

But probably other applications are affected too. At least I found similar
issue with python reported here:

Also I found that scilab has 6a5321bddceaf0e4761f29a507bfad6e1f3a7b33 commit
(googable) that basically modifies realpath(r,a) call to a=realpath(r,NULL).

Reproduced with gcc-4.4.2 (glibc-2.11) and gcc-4.3.4 (glibc-2.9_p20081201-r2)
 $ LC_ALL=C gcc --version
gcc (Gentoo 4.4.2 p1.0) 4.4.2
 $ uname -a
Linux tablet 2.6.32-gentoo #2 SMP PREEMPT Sat Dec 19 23:36:55 MSK 2009 x86_64 Intel(R) Core(TM)2 Duo CPU L7500 @ 1.60GHz GenuineIntel GNU/Linux
Comment 1 Harald van Dijk 2010-01-02 20:26:54 UTC
The buffer should be at least PATH_MAX bytes. If PATH_MAX > 1024, then 1024 bytes need not be enough. But anyway, realpath() comes from glibc, so even if this is a bug, you're reporting it to the wrong folks.
Comment 2 Richard Biener 2010-01-02 20:27:46 UTC
You also need to attach preprocessed source as it will be very glibc
Comment 3 Jakub Jelinek 2010-01-03 11:38:09 UTC
The testcase is indeed invalid, if the second argument to realpath is not NULL, it must be a buffer at least PATH_MAX bytes long.