http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60792
Bug ID: 60792
Summary: bogus buffer overflow warning and abort on static
flexible array member in a child object
Product: gcc
Version: 4.8.2
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: abalint21 at gmail dot com
g++ emits a bogus warning on the program below which then aborts at runtime.
The strange thing is that if I get the reference of the child object and then
get the address of the str field then everything is OK. It seems that g++
cannot handle the inner child object's str if it is accessed via
parent->child.str but it is ok when a reference is taken from the child and
then accessed via child.str.
$ cat main.cpp && g++ -D_FORTIFY_SOURCE=2 -O2 main.cpp && ./a.out
#include <cstdlib>
#include <cstring>
#include <iostream>
struct Parent
{
struct Child
{
int a;
char b;
char str[0]; ///< ASCIIZ
} child;
};
//#define DONT_CRASH
int main(int argc, char** argv)
{
char* buffer = new char[32768];
Parent* parent = (Parent*) buffer;
parent->child.a = 1;
parent->child.b = 'a';
#ifdef DONT_CRASH
Parent::Child& child = parent->child;
char* childStr = child.str;
#else
char* childStr = parent->child.str;
#endif
std::cout << __USE_FORTIFY_LEVEL << std::endl;
std::cout << __bos(childStr) << std::endl;
size_t strLen = 4;
std::strncpy(childStr, "test", strLen);
if (childStr[strLen] not_eq '\0')
{
childStr[strLen] = '\0';
}
return 0;
}
In file included from /usr/include/string.h:640:0,
from /usr/include/c++/4.8.2/cstring:42,
from main.cpp:2:
In function ‘char* strncpy(char*, const char*, size_t)’,
inlined from ‘int main(int, char**)’ at main.cpp:38:43:
/usr/include/bits/string3.h:120:71: warning: call to char*
__builtin___strncpy_chk(char*, const char*, long unsigned int, long unsigned
int) will always overflow destination buffer [enabled by default]
return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
^
2
0
*** buffer overflow detected ***: ./a.out terminated
...
Aborted
