[PATCH] - improve sprintf buffer overflow detection (middle-end/49905)
Jakub Jelinek
jakub@redhat.com
Fri Jul 22 19:57:00 GMT 2016
On Mon, Jul 18, 2016 at 03:59:11PM -0600, Martin Sebor wrote:
> + /* Try to use __builtin_object_size although it rarely returns
> + a useful result even for straighforward cases. */
> + tree ost = warn_format_length < 2
> + ? integer_zero_node : build_int_cst (size_type_node, 2);
> + tree args[] = { dest, ost };
> + tree func = builtin_decl_explicit (BUILT_IN_OBJECT_SIZE);
> + if (tree size = fold_builtin_n (UNKNOWN_LOCATION, func, args, 2, false))
What is the point of going through fold etc.? You can just
(for ADDR_EXPR and SSA_NAME) call compute_builtin_object_size without,
and don't have to convert the result back to tree and then back to uhwi.
> + return tree_to_uhwi (STRIP_NOPS (size));
Formatting.
> +
> + /* If __builtin_object_size fails to deliver, try to compute
> + it for the very basic (but common) cases. */
> + if (TREE_CODE (dest) == SSA_NAME
> + && POINTER_TYPE_P (TREE_TYPE (dest)))
> + {
> + gimple *def = SSA_NAME_DEF_STMT (dest);
> + if (gimple_code (def) == GIMPLE_ASSIGN)
is_gimple_assign (def) ?
> + {
> + tree_code code = gimple_assign_rhs_code (def);
> + if (code == POINTER_PLUS_EXPR)
> + {
> + tree off = gimple_assign_rhs2 (def);
> + dest = gimple_assign_rhs1 (def);
> +
> + if (cst_and_fits_in_hwi (off))
> + {
> + unsigned HOST_WIDE_INT size = get_destination_size (dest);
> + if (size != HOST_WIDE_INT_M1U)
> + return size - tree_to_shwi (off);
> + }
I think you need to be very careful on negative offsets here (or don't allow
them).
> + }
Shouldn't this have some upper bound for the recursion?
E.g. PARAM_VALUE (PARAM_MAX_SSA_NAME_QUERY_DEPTH)?
> + }
> + }
> +
> + return -1;
> +}
Jakub
More information about the Gcc-patches
mailing list