I just tried to compile the following C++ code with the latest trunk
snapshot 20110723 on an AMD x86_64 box.
# include <stdio.h>
char * p = new char ;
sprintf(p, "ian"); // Legal
sprintf(p, "bert"); // One over
sprintf(p, "harry"); // definately wrong.
sprintf(p, "%s", "harry"); // more subtle.
sprintf(q, "%s", "harry");
sprintf(p, "%s %s", "ab", "cd"); // more subtle still.
sprintf(q, "%s %s", "ab", "cd");
sprintf(p, "%s %d", "ab", 1000); // overpoints.
sprintf(q, "%s %d", "ab", 1000);
Much to my surprise, the compiler, even with lots of flags, said not much
bash-4.2$ ~/gcc/20110723/results/bin/g++ -c -O2 -Wall -Wextra -pedantic bug29.cc
I'd have expected a few warnings, at very least.
Surely something in the compiler could be done to check that sprintf is
called, the destination buffer size is known, the minimum source buffer
size is known, and compare the two to make sure the source fits inside
the destination ?
Such a warning will in my experience find plenty of bugs in application code.
Just use also -D_FORTIFY_SOURCE=1 -O2 or -D_FORTIFY_SOURCE=2 -O2.
For the first three overflows on q you'll get compile time warnings, and for all overflows on q you'll get the program killed at runtime.
If you use char * p = (char *) malloc (4);
instead of char * p = new char ;
you'll get protection for the p overflows too, I'll see if __builtin_object_size could be taught about C++ new, at least some forms thereof.
Date: Thu Aug 4 07:40:24 2011
New Revision: 177316
* tree.h (init_attributes): New prototype.
* attribs.c (init_attributes): No longer static.
* decl.c (cxx_init_decl_processing): Add alloc_size (1) attribute
for operator new and operator new . Call init_attributes.
* g++.dg/ext/builtin-object-size3.C: New test.