[Bug c/81117] Improve buffer overflow checking in strncpy

Fri, 10 Nov 2017 10:11:57 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81117

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
           See Also|                            |https://gcc.gnu.org/bugzill
                   |                            |a/show_bug.cgi?id=82944
         Resolution|---                         |FIXED

--- Comment #9 from Martin Sebor <msebor at gcc dot gnu.org> ---
The enhancement has been committed in r254630.  With the slightly modified test
case GCC 8.0 produces the warnings below.  Unfortunately, including <string.h>
instead of explicitly declaring strncpy may suppress a number of the warnings,
including the one for the last call, when strncpy is defined as a macro in one
of the system headers (as in Glibc 2.24 and prior).

I've raised bug 82944 for the system header problem and so I'm resolving this
request as fixed.

$ cat pr81117.c && gcc -O2 -S -Wall -Wextra pr81117.c 
extern __SIZE_TYPE__ strlen (const char*);
extern char* strncpy (char*, const char*, __SIZE_TYPE__);

char buf[2];

void test (const char* str)
{
    strncpy (buf, "12345", sizeof ("12345")); // 1
    strncpy (buf, "12345", strlen ("12345")); // 2
    strncpy (buf, str, sizeof (str));         // 3
    strncpy (buf, str, strlen (str));         // 4
}
pr81117.c: In function ‘test’:
pr81117.c:8:35: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same
expression as the source; did you mean to use the size of the destination?
[-Wsizeof-pointer-memaccess]
     strncpy (buf, "12345", sizeof ("12345")); // 1
                                   ^
pr81117.c:10:31: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same
expression as the source; did you mean to provide an explicit length?
[-Wsizeof-pointer-memaccess]
     strncpy (buf, str, sizeof (str));         // 3
                               ^
pr81117.c:9:5: warning: ‘strncpy’ output truncated before terminating nul
copying 5 bytes from a string of the same length [-Wstringop-truncation]
     strncpy (buf, "12345", strlen ("12345")); // 2
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pr81117.c:8:5: warning: array subscript is above array bounds [-Warray-bounds]
     strncpy (buf, "12345", sizeof ("12345")); // 1
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pr81117.c:11:5: warning: ‘strncpy’ output truncated before terminating nul
copying as many bytes from a string as its length [-Wstringop-truncation]
     strncpy (buf, str, strlen (str));         // 4
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pr81117.c:8:5: warning: ‘__builtin_memcpy’ writing 2 bytes into a region of
size 0 overflows the destination [-Wstringop-overflow=]
     strncpy (buf, "12345", sizeof ("12345")); // 1
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pr81117.c:9:5: warning: ‘__builtin_memcpy’ writing 5 bytes into a region of
size 2 overflows the destination [-Wstringop-overflow=]
     strncpy (buf, "12345", strlen ("12345")); // 2
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pr81117.c:10:5: warning: ‘strncpy’ writing 8 bytes into a region of size 2
overflows the destination [-Wstringop-overflow=]
     strncpy (buf, str, sizeof (str));         // 3
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply via email to