Bug 78760 - strcpy buffer overflow not diagnosed with -Wstringop-overflow
Summary: strcpy buffer overflow not diagnosed with -Wstringop-overflow
Status: NEW
Alias: None
Product: gcc
Classification: Unclassified
Component: middle-end (show other bugs)
Version: 7.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords: diagnostic
Depends on:
Blocks: Wstringop-overflow
  Show dependency treegraph
 
Reported: 2016-12-10 00:30 UTC by Martin Sebor
Modified: 2021-03-28 07:14 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2017-08-28 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sebor 2016-12-10 00:30:00 UTC
With the new -Wstringop-overflow option GCC diagnoses the more involved buffer overflow in function foo() but misses the more straightforward case of the same overflow in bar().  This because the second call to __builtin_strcpy is transformed into __builtin_memcpy by one of the optimization passes, apparently without regard to the possibility of overflow.

$ cat x.C && gcc -O2 -S -Wstringop-overflow=2 x.C
struct S {
  char a[3];
  void (*pf)(void);
};

void foo (struct S *s, int i)
{
  const char *str = i ? "1234578" : "87654321";
  __builtin_strcpy (s->a, str);
}

void bar (struct S *s, int i)
{
  const char *str = "1234578";
  __builtin_strcpy (s->a, str);   // missing -Wstringop-overflow
}


x.C: In function ‘void foo(S*, int)’:
x.C:9:31: warning: ‘char* __builtin_strcpy(char*, const char*)’ writing 8 bytes into a region of size 3 overflows the destination [-Wstringop-overflow=]
   __builtin_strcpy (s->a, str);
                               ^
Comment 1 Eric Gallager 2017-08-28 16:53:38 UTC
Confirmed.
Comment 2 Eric Gallager 2018-11-03 02:50:47 UTC
cc-ing diagnostics maintainers