[PING][PATCH] use get_size_range to get allocated size (PR 92942)
Martin Sebor
msebor@gmail.com
Wed Sep 9 21:42:36 GMT 2020
Ping: https://gcc.gnu.org/pipermail/gcc-patches/2020-August/552903.html
On 8/28/20 11:12 AM, Martin Sebor wrote:
> The gimple_call_alloc_size() function that determines the range
> of sizes of allocated objects and constrains the bounds in calls
> to functions like memcpy calls get_range() instead of
> get_size_range() to obtain its result. The latter is the right
> function to call because it has the necessary logic to constrain
> the range to just the values that are valid for object sizes.
> This is especially useful when the range is the result of
> a conversion from a signed to a wider unsigned integer where
> the upper subrange is excessive and can be eliminated such as in:
>
> char* f (int n)
> {
> if (n > 8)
> n = 8;
> char *p = malloc (n);
> strcpy (p, "0123456789"); // buffer overflow
> ...
> }
>
> Attached is a fix that lets -Wstringop-overflow diagnose the buffer
> overflow above. Besides with GCC I have also tested the change by
> building Binutils/GDB and Glibc and verifying that it doesn't
> introduce any false positives.
>
> Martin
More information about the Gcc-patches
mailing list