https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78245
Bug ID: 78245
Summary: missing -Wformat-length on an overflow of a
dynamically allocated buffer
Product: gcc
Version: 7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
The -Wformat-length warning points out instances of buffer overflow involving
either statically or automatically allocated buffers but fails to do the same
for dynamically allocated ones, greatly diminishing the usefulness of the
checker. The test case below demonstrates the problem.
$ cat b.c && /build/gcc-git/gcc/xgcc -B /build/gcc-git/gcc -O2 -S -Wall b.c
char a[2];
char *p;
void f_auto (void)
{
__builtin_sprintf (a, "%i", 123); // warning
}
void f_static (void)
{
char b[2];
__builtin_sprintf (b, "%i", 123); // warning
extern void sink (void*);
sink (b);
}
void g (void)
{
p = __builtin_malloc (2);
__builtin_sprintf (p, "%i", 123); // no warning
}
b.c: In function ‘f_auto’:
b.c:6:26: warning: ‘%i’ directive writing 3 bytes into a region of size 2
[-Wformat-length=]
__builtin_sprintf (a, "%i", 123); // warning
^~
b.c:6:3: note: format output 4 bytes into a destination of size 2
__builtin_sprintf (a, "%i", 123); // warning
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
b.c: In function ‘f_static’:
b.c:12:26: warning: ‘%i’ directive writing 3 bytes into a region of size 2
[-Wformat-length=]
__builtin_sprintf (b, "%i", 123); // warning
^~
b.c:12:3: note: format output 4 bytes into a destination of size 2
__builtin_sprintf (b, "%i", 123); // warning
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
