https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77799
Bug ID: 77799 Summary: missing -Wformat-length warning on a trivial sprintf overflow with no directives Product: gcc Version: 7.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: middle-end Assignee: unassigned at gcc dot gnu.org Reporter: msebor at gcc dot gnu.org Target Milestone: --- Similar to bug 77671, GCC warns for a call to sprintf with a format string containing no format directives that writes past the end of the destination if the call contains redundant (unused) arguments but fails to issue the same warning when there are no arguments. The underlying reason is the same as in bug 77671: GCC transforms the call with no redundant arguments to one to memcpy before the warning pass has a chance to see it. $ cat zzz.c && /build/gcc-trunk-git/gcc/xgcc -B /build/gcc-trunk-git/gcc -O2 -S -Wformat-length -fdump-tree-optimized=/dev/stdout zzz.c char d [2]; extern int sprintf (char*, const char*, ...); void f (void) { sprintf (d, "123"); } void g (void) { sprintf (d, "123", 0); } ;; Function f (f, funcdef_no=0, decl_uid=1795, cgraph_uid=0, symbol_order=1) f () { <bb 2>: __builtin_memcpy (&d, "123", 4); [tail call] return; } zzz.c: In function āgā: zzz.c:12:18: warning: writing format character ā3ā at offset 2 past the end of the destination [-Wformat-length=] sprintf (d, "123", 0); ^ zzz.c:12:3: note: format output 4 bytes into a destination of size 2 sprintf (d, "123", 0); ^~~~~~~~~~~~~~~~~~~~~ ;; Function g (g, funcdef_no=1, decl_uid=1798, cgraph_uid=1, symbol_order=2) g () { <bb 2>: sprintf (&d, "123", 0); [tail call] return; }