On 8/28/20 11:12 AM, Martin Sebor via Gcc-patches wrote:
> The gimple_call_alloc_size() function that determines the range
> of sizes of allocated objects and constrains the bounds in calls
> to functions like memcpy calls get_range() instead of
> get_size_range() to obtain its result. The latter is the right
> function to call because it has the necessary logic to constrain
> the range to just the values that are valid for object sizes.
> This is especially useful when the range is the result of
> a conversion from a signed to a wider unsigned integer where
> the upper subrange is excessive and can be eliminated such as in:
>
> char* f (int n)
> {
> if (n > 8)
> n = 8;
> char *p = malloc (n);
> strcpy (p, "0123456789"); // buffer overflow
> ...
> }
>
> Attached is a fix that lets -Wstringop-overflow diagnose the buffer
> overflow above. Besides with GCC I have also tested the change by
> building Binutils/GDB and Glibc and verifying that it doesn't
> introduce any false positives.
>
> Martin
>
> gcc-92942.diff
>
> PR middle-end/92942 - missing -Wstringop-overflow for allocations with a
> negative lower bound size
>
> gcc/ChangeLog:
>
> PR middle-end/92942
> * builtins.c (gimple_call_alloc_size): Call get_size_range instead
> of get_range.
> * calls.c (get_size_range): Define new overload. Handle anti-ranges
> whose upper part is with the valid size range.
> * calls.h (get_size_range): Declare new overload.
>
> gcc/testsuite/ChangeLog:
>
> PR middle-end/92942
> * gcc.dg/Wstringop-overflow-40.c: New test.
> * gcc.dg/Wstringop-overflow-41.c: New test.
> * gcc.dg/attr-alloc_size-10.c: Disable macro tracking.
Please re-rest and once re-validated, this is fine for the trunk.
jeff
