https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86349
Bug ID: 86349
Summary: diagnose string overflow for allocations of
non-constant sizes
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
Even though the lengths of the strings in the test case below are unknown it is
possible to determine that the strcpy() call overflows the destination because
it writes one more byte into the region than have been allocated for it. This
type of an error can be detected in the strlen() pass by looking at the size of
the destination of a call like strcpy or memcpy and comparing it to the length
of the source string. Even if neither is constant, if the length of the source
is greater than the size of the destination (or very likely greater, ignoring
unsigned integer wrapping), diagnosing it would catch the error.
$ cat c.c && gcc -O2 -S -Wall -fdump-tree-strlen=/dev/stdout c.c
char* f (const char *s)
{
__SIZE_TYPE__ n = __builtin_strlen (s);
char *p = __builtin_malloc (n);
__builtin_strcpy (p, s);
return p;
}
;; Function f (f, funcdef_no=0, decl_uid=1898, cgraph_uid=1, symbol_order=0)
f (const char * s)
{
char * p;
long unsigned int n;
long unsigned int _8;
<bb 2> [local count: 1073741825]:
n_3 = __builtin_strlen (s_2(D));
p_5 = __builtin_malloc (n_3);
_8 = n_3 + 1;
__builtin_memcpy (p_5, s_2(D), _8);
return p_5;
}
