https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
Bug ID: 111266
Summary: Missing -Wanalyzer-out-of-bounds for concrete offset
overwrite.
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: vultkayn at gcc dot gnu.org
Target Milestone: ---
Hi,
The analyzer do not emit the expected "heap-based write overflow" in the
reproducer below.
#include <stdint.h>
void *malloc (__SIZE_TYPE__);
void free (void *);
void test_binop2 ()
{
char *p = (char *) malloc (4);
int32_t *i = (int32_t *) (p + 3);
*i = 20042; /* { dg-warning "heap-based buffer overflow" "" { xfail *-*-* } }
*/
free (p);
}
A quick investigation showed that on *i = 20042, check_region_bounds had the
following:
reg is an offset_region(heap_allocated(12), 'int32_', 3) as expected
base_reg is heap_allocated(12)
base_reg's capacity is correct too, and reg_offset *is* 3 bytes, as it should.
The issue comes from num_bytes_sval, which corresponds to the number of bytes
accessed. It should be a constant_svalue of value 4, but is instead of value 1.
Therefore the "read_bytes" byte_range do not overflow the buffer, as we get
(offset) 3 + (accessed bytes) 1 = 4, which is not an overflow (3 + 4 expected)
