[Bug middle-end/91631] buffer overflow into an array member of a declared object not detected

msebor at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Thu Sep 19 22:16:00 GMT 2019


https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91631

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
Author: msebor
Date: Thu Sep 19 22:15:34 2019
New Revision: 275981

URL: https://gcc.gnu.org/viewcvs?rev=275981&root=gcc&view=rev
Log:
PR middle-end/91631 - buffer overflow into an array member of a declared object
not detected

gcc/ChangeLog:

        PR middle-end/91631
        * builtins.c (component_size): Correct trailing array computation,
        rename to component_ref_size and move...
        (compute_objsize): Adjust.
        * gimple-ssa-warn-restrict.c (builtin_memref::refsize): New member.
        (builtin_access::strict): Do not consider mememmove.
        (builtin_access::write_off): New function.
        (builtin_memref::builtin_memref): Initialize refsize.
        (builtin_memref::set_base_and_offset): Adjust refoff and compute
        refsize.
        (builtin_memref::offset_out_of_bounds): Use ooboff input values.
        Handle refsize.
        (builtin_access::builtin_access): Intialize dstoff to destination
        refeence offset here instead of in maybe_diag_overlap.  Adjust
        referencess even to unrelated objects.  Adjust sizrange of bounded
        string functions to reflect bound.  For strcat, adjust destination
        sizrange by that of source.
        (builtin_access::strcat_overlap):  Adjust offsets and sizes
        to reflect the increase in destination sizrange above.
        (builtin_access::overlap): Do not set dstoff here but instead
        in builtin_access::builtin_access.
        (check_bounds_or_overlap): Use builtin_access::write_off.
        (maybe_diag_access_bounds): Add argument.  Add informational notes.
        (dump_builtin_memref, dump_builtin_access): New functions.
        * tree.c (component_ref_size): ...to here.
        * tree.h (component_ref_size): Declare.
        * tree-ssa-strlen (handle_builtin_strcat): Include the terminating
        nul in the size of the source string.

gcc/testsuite/ChangeLog:

        PR middle-end/91631
        * /c-c++-common/Warray-bounds-3.c: Correct expected offsets.
        * /c-c++-common/Warray-bounds-4.c: Same.
        * gcc.dg/Warray-bounds-39.c: Remove xfails.
        * gcc.dg/Warray-bounds-45.c: New test.
        * gcc.dg/Warray-bounds-46.c: New test.


Added:
    trunk/gcc/testsuite/gcc.dg/Warray-bounds-45.c
    trunk/gcc/testsuite/gcc.dg/Warray-bounds-46.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/builtins.c
    trunk/gcc/gimple-ssa-warn-restrict.c
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/testsuite/c-c++-common/Warray-bounds-3.c
    trunk/gcc/testsuite/c-c++-common/Warray-bounds-4.c
    trunk/gcc/testsuite/gcc.dg/Warray-bounds-39.c
    trunk/gcc/tree-ssa-strlen.c
    trunk/gcc/tree.c
    trunk/gcc/tree.h


More information about the Gcc-bugs mailing list