[Bug middle-end/82867] New: missing warning on buffer overflow assigning to the result of mempcpy
msebor at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Mon Nov 6 17:52:00 GMT 2017
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82867
Bug ID: 82867
Summary: missing warning on buffer overflow assigning to the
result of mempcpy
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
This test case was inspired by Glibc bug
https://sourceware.org/bugzilla/show_bug.cgi?id=22332. Although the mempcpy
call in it doesn't overflow, the assignment via the pointer returned by it
does. It seems that it should be possible to enhance the -Wstringop-overflow
warning to detect this case (perhaps in tree-ssa-strlen.c?) even though the
value of n is unknown, by saving the alloca/malloc argument for each allocated
block. checking it against the mempcpy byte counter in assignments through the
returned pointer, and diagnosing it if it's the same.
$ cat c.c && gcc -O2 -S -Wall -Wextra -fdump-tree-strlen=/dev/stdout c.c
void* f (const char *s0, const char *s1)
{
void *d = __builtin_malloc (s1 - s0);
*(char*)__builtin_mempcpy (d, s0, s1 - s0) = '\0';
return d;
}
void sink (void*);
void g (const char *s0, const char *s1)
{
void *d = __builtin_alloca (s1 - s0);
*(char*)__builtin_mempcpy (d, s0, s1 - s0) = '\0';
sink (d);
}
;; Function f (f, funcdef_no=0, decl_uid=1888, cgraph_uid=0, symbol_order=0)
f (const char * s0, const char * s1)
{
void * d;
long int s1.0_1;
long int s0.1_2;
long int _3;
long unsigned int _4;
void * _5;
<bb 2> [100.00%] [count: INV]:
s1.0_1 = (long int) s1_6(D);
s0.1_2 = (long int) s0_7(D);
_3 = s1.0_1 - s0.1_2;
_4 = (long unsigned int) _3;
d_10 = __builtin_malloc (_4);
_5 = __builtin_mempcpy (d_10, s0_7(D), _4);
MEM[(char *)_5] = 0;
return d_10;
}
;; Function g (g, funcdef_no=1, decl_uid=1895, cgraph_uid=1, symbol_order=1)
g (const char * s0, const char * s1)
{
void * d;
long int s1.4_1;
long int s0.5_2;
long int _3;
long unsigned int _4;
void * _5;
<bb 2> [100.00%] [count: INV]:
s1.4_1 = (long int) s1_6(D);
s0.5_2 = (long int) s0_7(D);
_3 = s1.4_1 - s0.5_2;
_4 = (long unsigned int) _3;
d_10 = __builtin_alloca (_4);
_5 = __builtin_mempcpy (d_10, s0_7(D), _4);
MEM[(char *)_5] = 0;
sink (d_10);
return;
}
More information about the Gcc-bugs
mailing list