[Bug middle-end/49905] Better sanity checking on sprintf src & dest to produce warning for dodgy code ?
dcb314 at hotmail dot com
gcc-bugzilla@gcc.gnu.org
Tue May 3 07:11:00 GMT 2016
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=49905
--- Comment #5 from David Binderman <dcb314 at hotmail dot com> ---
(In reply to Martin Sebor from comment #3)
> 5.1 and 6.1 warn on the first six out of the ten buffer overflows, and on
> Linux the program aborts at runtime in __sprintf_chk.
>
> GCC still doesn't diagnose any of the last four problems at compile time
My local version does. Some tweeks to gcc/builtins.c. 69 formats understood.
> (e.g., in 'char buf [4]; sprintf (buf, "%s %s", "abc", "def");') It seems
> that this class of problems could be handled by enhancing
> maybe_emit_sprintf_chk_warning to loop over the format string, recognize
> more involved format strings with embedded %s (and other simple directives),
> and count the number of characters they emit for constant arguments.
Indeed. Anything it doesn't understand it can afford to ignore.
It is only computing a lower bound.
> For slightly better compile-time coverage the approach could even assume that
> simple non-string directives like %i result in at least one character and
> compute an optimistic lower bound on the length of the formatted string.
That's right - it could even take account of other things like field widths.
My local version can find all the problems mentioned in the original bug
report.
Speculative patch attached. It'll need a lot of work to get it up to the
required standard, but it gives the general idea and it's been working
happily locally for years over the code of Redhat Fedora Linux and some
other projects.
More information about the Gcc-bugs
mailing list