[Bug tree-optimization/104964] Wrong *** buffer overflow detected ***: terminated - acl
siddhesh at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Fri Mar 25 15:00:25 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104964
--- Comment #13 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
It's not really a regression AFAICT, it's only more visible with __bdos because
non-constant offsets don't stop it. Also the problem is only with subobjects
(hence limited to _FORTIFY_SOURCE > 1 for strcpy) where the block in
addr_object_size that is supposed to deal with flex arrays at the end doesn't
quite do its job with nested structs.
The same reproducer tweaked a bit will crash even for __builtin_object_size:
struct __string_ext
{
char s_str[0];
};
typedef struct
{
int o_prefix;
struct __string_ext i;
} string_obj;
#define SUFFIX ".suffix"
string_obj *
__acl_to_any_text (unsigned long n)
{
unsigned long off = 0;
unsigned long size = sizeof SUFFIX;
string_obj *obj = __builtin_malloc (sizeof (string_obj) + size);
if (n == 0)
__builtin_unreachable ();
while (n-- != 0)
{
if (off + 1 > size - sizeof SUFFIX)
{
size <<= 1;
string_obj *tmp = __builtin_realloc (obj, sizeof (string_obj) +
size);
if (!tmp)
__builtin_unreachable ();
obj = tmp;
}
obj->i.s_str[off++] = 'A';
}
char *t = obj->i.s_str;
__strcpy_chk (t, SUFFIX, __builtin_object_size (t, 1));
return obj;
}
int
main ()
{
string_obj *s = __acl_to_any_text (32);
__builtin_printf ("%zu: %s\n", __builtin_strlen (s->i.s_str), s->i.s_str);
return 0;
}
$ gcc/cc1 -g -o test.s -quiet -Wall -O3 fs3.c
fs3.c: In function ‘__acl_to_any_text’:
fs3.c:40:3: warning: ‘__builtin___memcpy_chk’ writing 8 bytes into a region of
size 0 overflows the destination [-Wstringop-overflow=]
40 | __strcpy_chk (t, SUFFIX, __builtin_object_size (t, 1));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Gcc-bugs
mailing list