https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85484
Bug ID: 85484 Summary: missing -Wstringop-overflow for strcpy with a string of non-const length Product: gcc Version: 8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: msebor at gcc dot gnu.org Target Milestone: --- The buffer overflow reported in bug 85476 can be reduced to the test case below. The overflow is quite obvious and should be easy to detect at compile-time via the -Wstringop-overflow warning yet GCC does not detect it, either with or without -D_FORTIFY_SOURCE. That's because __builtin_object_size that -Wstringop-overflow relies on only deals with constant sizes. But the non-constant string length and allocation size are both readily available in the tree-ssa-strlen pass and so the bug can easily be detected there. $ cat x.c && gcc -O2 -S -Wall -Wextra -Wpedantic -fdump-tree-strlen=/dev/stdout x.c void f (char*); void g (const char *s) { unsigned n = __builtin_strlen (s); char *d = __builtin_alloca (n); // off-by-one error (should be n + 1) __builtin_strcpy (d, s); // missing -Wstringop-overflow f (d); } void h (const char *s) { unsigned n = __builtin_strlen (s); char *d = __builtin_alloca (n); __builtin___strcpy_chk (d, s, __builtin_object_size (d, 1)); f (d); } ;; Function g (g, funcdef_no=0, decl_uid=1960, cgraph_uid=0, symbol_order=0) g (const char * s) { char * d; long unsigned int _1; long unsigned int _8; long unsigned int _10; <bb 2> [local count: 1073741825]: _1 = __builtin_strlen (s_3(D)); _8 = _1 & 4294967295; d_5 = __builtin_alloca (_8); _10 = _1 + 1; __builtin_memcpy (d_5, s_3(D), _10); f (d_5); return; } ;; Function h (h, funcdef_no=1, decl_uid=1965, cgraph_uid=1, symbol_order=1) h (const char * s) { char * d; long unsigned int _1; long unsigned int _2; long unsigned int _9; <bb 2> [local count: 1073741825]: _1 = __builtin_strlen (s_4(D)); _9 = _1 & 4294967295; d_6 = __builtin_alloca (_9); _2 = _1 + 1; __builtin_memcpy (d_6, s_4(D), _2); f (d_6); return; }