[Bug middle-end/79223] New: missing -Wstringop-overflow on a memmove overflow

Tue, 24 Jan 2017 20:06:07 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79223

            Bug ID: 79223
           Summary: missing -Wstringop-overflow on a memmove overflow
           Product: gcc
           Version: 7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

In the test case below, the -Wstringop-overflow detects the buffer overflow in
the call to memmove() in function f() but fails to detect the same overflow in
the call to __builtin_memove().

This is another case I missed when implementing the warning, in addition to bug
79222.

$ cat t.c && gcc -D_FORTIFY_SOURCE=2 -O2 -S -Wall -Wextra -Wpedantic
-fdump-tree-vrp=/dev/stdout t.c
#include <string.h>

char d[3];

void f (void)
{
  memmove (d, d + 1, 17);
}

void g (void)
{
  __builtin_memmove (d, d + 1, 17);
}


;; Function f (f, funcdef_no=24, decl_uid=2254, cgraph_uid=24, symbol_order=25)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }

Value ranges after VRP:



f ()
{
  <bb 2> [100.00%]:
  __builtin___memmove_chk (&d, &MEM[(void *)&d + 1B], 17, 3);
  return;

}



;; Function f (f, funcdef_no=24, decl_uid=2254, cgraph_uid=24, symbol_order=25)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }

Value ranges after VRP:



f ()
{
  <bb 2> [100.00%]:
  __builtin___memmove_chk (&d, &MEM[(void *)&d + 1B], 17, 3);
  return;

}


In file included from /usr/include/string.h:639:0,
                 from t.c:1:
In function ‘memmove’,
    inlined from ‘f’ at t.c:7:3:
/usr/include/bits/string3.h:57:10: warning: ‘__builtin___memmove_chk’ writing
17 bytes into a region of size 3 overflows the destination
[-Wstringop-overflow=]
   return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest));
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

;; Function g (g, funcdef_no=25, decl_uid=2257, cgraph_uid=25, symbol_order=26)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }

Value ranges after VRP:



g ()
{
  <bb 2> [100.00%]:
  __builtin_memmove (&d, &MEM[(void *)&d + 1B], 17);
  return;

}



;; Function g (g, funcdef_no=25, decl_uid=2257, cgraph_uid=25, symbol_order=26)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }

Value ranges after VRP:



g ()
{
  <bb 2> [100.00%]:
  __builtin_memmove (&d, &MEM[(void *)&d + 1B], 17);
  return;

}

Reply via email to