https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64964
Bug ID: 64964 Summary: -D_FORTIFY_SOURCE=2 passes incorrect length to _chk functions in some cases Product: gcc Version: 5.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: nszabolcs at gmail dot com in the following simple testcase the valid length of x.a+1 is 1, but 2 is passed to __strcpy_chk according to the asm (gcc-4.8 gets it right, glibc debug/tst-chk3 and debug/tst-chk6 testcases fail now with gcc built from trunk) at runtime x.b[0] gets clobbered with 0 and there is no failure reported. $ cat chk.c #include <string.h> int main() { char *volatile s = "A"; struct { char a[2]; char b[1]; } x; strcpy(x.a+1, s); return 0; } $ gcc -D_FORTIFY_SOURCE=2 -O -S chk.c $ cat chk.s .file "chk.c" .section .rodata.str1.1,"aMS",@progbits,1 .LC0: .string "A" .text .globl main .type main, @function main: .LFB22: .cfi_startproc subq $24, %rsp .cfi_def_cfa_offset 32 movq $.LC0, 8(%rsp) movq 8(%rsp), %rsi movl $2, %edx leaq 1(%rsp), %rdi call __strcpy_chk movl $0, %eax addq $24, %rsp .cfi_def_cfa_offset 8 ret .cfi_endproc .LFE22: .size main, .-main .ident "GCC: (GNU) 5.0.0 20150205 (experimental)" .section .note.GNU-stack,"",@progbits