https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80074
Bug ID: 80074
Summary: missing -Wstringop-overflow on a detected
__builtin___sprintf_chk overflow
Product: gcc
Version: 7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
The call to __builtin___sprintf_chk in the following program overflows the
destination. The overflow is detected at runtime and is clearly detectable at
compile-time, but it's not diagnosed as it should be.
$ cat t.c && gcc -Wall -Wextra -Wpedantic -Wrestrict
-fdump-tree-optimized=/dev/stdout t.c && ./a.out
char d[1];
int main (int argc, char *argv[])
{
const char *s = argc < 0 ? "123" : "456";
int n = __builtin___sprintf_chk (d, 0, sizeof d, "%s", s);
__builtin_printf ("%i: \"%.*s\"\n", n, n, d);
}
t.c: In function ‘main’:
t.c:3:27: warning: unused parameter ‘argv’ [-Wunused-parameter]
int main (int argc, char *argv[])
^~~~
;; Function main (main, funcdef_no=0, decl_uid=1797, cgraph_uid=0,
symbol_order=1)
main (int argc, char * * argv)
{
int n;
const char * s;
int D.1806;
char[4] * iftmp.0;
char[4] * iftmp.0_1;
char[4] * iftmp.0_3;
char[4] * iftmp.0_4;
int _10;
<bb 2> [0.00%]:
if (argc_2(D) < 0)
goto <bb 3>; [0.00%]
else
goto <bb 4>; [0.00%]
<bb 3> [0.00%]:
iftmp.0_4 = "123";
goto <bb 5>; [0.00%]
<bb 4> [0.00%]:
iftmp.0_3 = "456";
<bb 5> [0.00%]:
# iftmp.0_1 = PHI <iftmp.0_4(3), iftmp.0_3(4)>
s_5 = iftmp.0_1;
n_8 = __builtin___sprintf_chk (&d, 0, 1, "%s", s_5);
__builtin_printf ("%i: \"%.*s\"\n", n_8, n_8, &d);
_10 = 0;
<L3> [0.00%]:
return _10;
}
*** buffer overflow detected ***: ./a.out terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x77de5)[0x7f0975f73de5]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f0976010167]
/lib64/libc.so.6(+0x1122f0)[0x7f097600e2f0]
/lib64/libc.so.6(+0x111859)[0x7f097600d859]
/lib64/libc.so.6(_IO_default_xsputn+0x80)[0x7f0975f77bc0]
/lib64/libc.so.6(_IO_vfprintf+0xaa6)[0x7f0975f48336]
/lib64/libc.so.6(__vsprintf_chk+0x8c)[0x7f097600d8ec]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x7f097600d83d]
./a.out[0x4005fb]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f0975f1c580]
./a.out[0x4004c9]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fd:03 8129719
/home/msebor/build/tmp/a.out
00600000-00601000 r--p 00000000 fd:03 8129719
/home/msebor/build/tmp/a.out
00601000-00602000 rw-p 00001000 fd:03 8129719
/home/msebor/build/tmp/a.out
00a07000-00a28000 rw-p 00000000 00:00 0 [heap]
7f0975ce5000-7f0975cfb000 r-xp 00000000 fd:00 4091
/usr/lib64/libgcc_s-5.3.1-20160406.so.1
7f0975cfb000-7f0975efa000 ---p 00016000 fd:00 4091
/usr/lib64/libgcc_s-5.3.1-20160406.so.1
7f0975efa000-7f0975efb000 r--p 00015000 fd:00 4091
/usr/lib64/libgcc_s-5.3.1-20160406.so.1
7f0975efb000-7f0975efc000 rw-p 00016000 fd:00 4091
/usr/lib64/libgcc_s-5.3.1-20160406.so.1
7f0975efc000-7f09760b3000 r-xp 00000000 fd:00 11035
/usr/lib64/libc-2.22.so
7f09760b3000-7f09762b3000 ---p 001b7000 fd:00 11035
/usr/lib64/libc-2.22.so
7f09762b3000-7f09762b7000 r--p 001b7000 fd:00 11035
/usr/lib64/libc-2.22.so
7f09762b7000-7f09762b9000 rw-p 001bb000 fd:00 11035
/usr/lib64/libc-2.22.so
7f09762b9000-7f09762bd000 rw-p 00000000 00:00 0
7f09762bd000-7f09762de000 r-xp 00000000 fd:00 73564
/usr/lib64/ld-2.22.so
7f09764c1000-7f09764c4000 rw-p 00000000 00:00 0
7f09764db000-7f09764dd000 rw-p 00000000 00:00 0
7f09764dd000-7f09764de000 r--p 00020000 fd:00 73564
/usr/lib64/ld-2.22.so
7f09764de000-7f09764df000 rw-p 00021000 fd:00 73564
/usr/lib64/ld-2.22.so
7f09764df000-7f09764e0000 rw-p 00000000 00:00 0
7ffd4b095000-7ffd4b0b6000 rw-p 00000000 00:00 0
[stack]
7ffd4b1a3000-7ffd4b1a5000 r--p 00000000 00:00 0 [vvar]
7ffd4b1a5000-7ffd4b1a7000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted (core dumped)
