http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985
Summary: bogus buffer overflow warning and abort on static
flexible array member
Product: gcc
Version: 4.6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
AssignedTo: [email protected]
ReportedBy: [email protected]
GCC emits a bogus warning on the program below which then aborts at runtime.
Note that when the strncpy (s.c, "012", 4) call in line 24 is removed GCC
doesn't emit a warning but the program still aborts even though there is no
buffer overflow.
For statically allocated flexible array members I would expect
__builtin_object_size() to report the actual size of the array rather than
zero, analogously to the case when the array is allocated dynamically.
$ cat z.c && gcc -D_FORTIFY_SOURCE -O2 z.c && ./a.out
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct s {
int i;
char c[];
} s = { 1, "01234" };
size_t f (void) { return __builtin_object_size(&s.c, 0); }
size_t g (struct s *p) { return __builtin_object_size(p->c, 0); }
int main (void) {
struct s *p;
p = (struct s*)malloc (sizeof *p + 6);
printf ("%zu %zu\n", f (), g (p));
fflush (stdout);
strncpy (p->c, "012", strlen(s.c));
if (puts ("###"))
strncpy (s.c, "012", 4); /* line 24 */
strncpy (s.c, "012", strlen(s.c) + 1);
return 0;
}
In file included from /usr/include/string.h:642:0,
from z.c:3:
In function ‘strncpy’,
inlined from ‘main’ at z.c:24:17:
/usr/include/bits/string3.h:121:3: warning: call to __builtin___strncpy_chk
will always overflow destination buffer [enabled by default]
0 6
###
*** buffer overflow detected ***: ./a.out terminated
...
Aborted (core dumped)
