https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92943
Bug ID: 92943
Summary: missing -Wformat-overflow with an allocated buffer
with non-constant size in known range
Product: gcc
Version: 10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
With pr78245 resolved, GCC diagnoses the buffer overflow in function f() below.
The overflow in g() is also detected but only after the sprintf pass has
transformed the call to memcpy, and not by the pass itself. The overflow in
h() is not detected at all, (presumably) because the detection relies on the
objsize pass which is limited to constant sizes.
$ cat a.c && gcc -O2 -S -Wall a.c
void* f (void)
{
char *p = __builtin_malloc (4);
__builtin_sprintf (p, "%i", 12345); // overflow detected
return p;
}
void* g (unsigned n)
{
if (4 < n)
n = 4;
char *p = __builtin_malloc (n);
__builtin_sprintf (p, "%s", "12345"); // overflow detected
return p;
}
void* h (unsigned n)
{
if (4 < n)
n = 4;
char *p = __builtin_malloc (n);
__builtin_sprintf (p, "%i", 12345); // overflow not detected
return p;
}
a.c: In function ‘f’:
a.c:4:26: warning: ‘%i’ directive writing 5 bytes into a region of size 4
[-Wformat-overflow=]
4 | __builtin_sprintf (p, "%i", 12345); // overflow detected
| ^~
a.c:4:3: note: ‘__builtin_sprintf’ output 6 bytes into a destination of size 4
4 | __builtin_sprintf (p, "%i", 12345); // overflow detected
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a.c: In function ‘g’:
a.c:13:3: warning: ‘__builtin_memcpy’ forming offset [4, 5] is out of the
bounds [0, 4] [-Warray-bounds]
13 | __builtin_sprintf (p, "%s", "12345"); // overflow detected
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
