https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
Jakub Jelinek <jakub at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jakub at gcc dot gnu.org --- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> --- Strange, it certainly does reproduce for me: char a[10256], b, *c, *g; int d, e, f; int foo (char *j) { if (__builtin_strlen (j) + __builtin_strlen (c) + __builtin_strlen (g) + 32 > 10256) return 0; __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g); return 1; } void bar (void) { foo ("wctype"); } /volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-8919 -quiet -O3 -Wall pr113752.c pr113752.c: In function ‘bar’: pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] 9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g); | ^~ In function ‘foo’, inlined from ‘bar’ at pr113752.c:16:3: pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes into a destination of size 10256 9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-260 -quiet -O3 -Wall pr113752.c /volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-261 -quiet -O3 -Wall pr113752.c pr113752.c: In function ‘bar’: pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] 9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g); | ^~ In function ‘foo’, inlined from ‘bar’ at pr113752.c:16:3: pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes into a destination of size 10256 9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~