Bug 86349 - diagnose string overflow for allocations of non-constant sizes
Summary: diagnose string overflow for allocations of non-constant sizes
Alias: None
Product: gcc
Classification: Unclassified
Component: middle-end (show other bugs)
Version: 8.0
: P3 enhancement
Target Milestone: 10.0
Assignee: Martin Sebor
Keywords: diagnostic
Depends on:
Blocks: Wstringop-overflow
  Show dependency treegraph
Reported: 2018-06-28 16:31 UTC by Martin Sebor
Modified: 2020-06-17 20:04 UTC (History)
0 users

See Also:
Known to work: 10.1.0
Known to fail: 7.3.0, 8.2.0, 9.2.0
Last reconfirmed:


Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sebor 2018-06-28 16:31:42 UTC
Even though the lengths of the strings in the test case below are unknown it is possible to determine that the strcpy() call overflows the destination because it writes one more byte into the region than have been allocated for it.  This type of an error can be detected in the strlen() pass by looking at the size of the destination of a call like strcpy or memcpy and comparing it to the length of the source string.  Even if neither is constant, if the length of the source is greater than the size of the destination (or very likely greater, ignoring unsigned integer wrapping), diagnosing it would catch the error.

$ cat c.c && gcc -O2 -S -Wall -fdump-tree-strlen=/dev/stdout c.c
char* f (const char *s)
  __SIZE_TYPE__ n = __builtin_strlen (s);
  char *p = __builtin_malloc (n);
  __builtin_strcpy (p, s);
  return p;

;; Function f (f, funcdef_no=0, decl_uid=1898, cgraph_uid=1, symbol_order=0)

f (const char * s)
  char * p;
  long unsigned int n;
  long unsigned int _8;

  <bb 2> [local count: 1073741825]:
  n_3 = __builtin_strlen (s_2(D));
  p_5 = __builtin_malloc (n_3);
  _8 = n_3 + 1;
  __builtin_memcpy (p_5, s_2(D), _8);
  return p_5;

Comment 1 Martin Sebor 2020-06-17 20:04:45 UTC
Done in GCC 10:

$ gcc -O2 -S -Wall -Wextra pr86349.c
pr86349.c: In function ‘f’:
pr86349.c:5:3: warning: ‘__builtin_strcpy’ writing one too many bytes into a region of a size that depends on ‘strlen’ [-Wstringop-overflow=]
    5 |   __builtin_strcpy (p, s);
      |   ^~~~~~~~~~~~~~~~~~~~~~~
pr86349.c:4:13: note: at offset 0 to an object allocated by ‘__builtin_malloc’ here
    4 |   char *p = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~