https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100325
Bug ID: 100325
Summary: missing warning with -O0 on sprintf overflow with
pointer plus offset
Product: gcc
Version: 11.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
At -O0, GCC correctly diagnoses the buffer overflow in f() but fails to detect
the same bug in g(). This covers the problem mentioned in pr100307 comment 2
caused by the sprintf warning being run too early when optimization is
disabled. Running it at approximately the same point as the early
-Wuninitialized pass (or -Wnonnull-compare) lets it diagnose both bugs.
$ cat a.c && gcc -S -Wall a.c
extern char a[2];
void f ()
{
__builtin_sprintf (a + 1, "%i", 123); // -Wformat-overflow (good)
}
void g ()
{
char *p = a + 1;
__builtin_sprintf (p, "%i", 123); // missing -Wformat-overflow
}
a.c: In function ‘f’:
a.c:5:30: warning: ‘%i’ directive writing 3 bytes into a region of size 1
[-Wformat-overflow=]
5 | __builtin_sprintf (a + 1, "%i", 123); // -Wformat-overflow (good)
| ^~
a.c:5:3: note: ‘__builtin_sprintf’ output 4 bytes into a destination of size 1
5 | __builtin_sprintf (a + 1, "%i", 123); // -Wformat-overflow (good)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
