[Bug middle-end/91631] New: buffer overflow into an array member of a declared object not detected

Sun, 01 Sep 2019 14:57:40 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91631

            Bug ID: 91631
           Summary: buffer overflow into an array member of a declared
                    object not detected
           Product: gcc
           Version: 9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

Even with -D_FORTIFY_SOURCE=2 GCC diagnoses only two out of the six instances
of buffer overflow in the strcpy calls below.

$ cat a.c && gcc -D_FORTIFY_SOURCE=2 -O2 -S -Wall -Wextra -Wpedantic a.c
#include <string.h>

struct S { char a[3], b[5], c[]; };

extern struct S es[];
static struct S is[2];

void efa (void)
{
  char a[] = "123";
  strcpy (es[0].a, a);   // missing warning
}

void efb (void)
{
  char a[] = "12345";
  strcpy (es[0].b, a);   // missing warning
}

void efc (void)
{
  char a[] = "123";
  strcpy (es[0].c, a);   // missing warning
}

void ifa (void)
{
  char a[] = "123";
  strcpy (is[0].a, a);   // warning (good)
}

void ifb (void)
{
  char a[] = "12345";
  strcpy (is[0].b, a);   // warning (good)
}

void ifc (void)
{
  char a[] = "123";
  strcpy (is[0].c, a);   // missing warning
}


a.c:5:17: warning: invalid use of structure with flexible array member
[-Wpedantic]
    5 | extern struct S es[];
      |                 ^~
a.c:6:17: warning: invalid use of structure with flexible array member
[-Wpedantic]
    6 | static struct S is[2];
      |                 ^~
In file included from /usr/include/string.h:494,
                 from a.c:1:
In function ‘strcpy’,
    inlined from ‘ifa’ at a.c:29:3:
/usr/include/bits/string_fortified.h:90:10: warning: ‘__builtin___memcpy_chk’
writing 4 bytes into a region of size 3 overflows the destination
[-Wstringop-overflow=]
   90 |   return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘strcpy’,
    inlined from ‘ifb’ at a.c:35:3:
/usr/include/bits/string_fortified.h:90:10: warning: ‘__builtin___memcpy_chk’
writing 6 bytes into a region of size 5 overflows the destination
[-Wstringop-overflow=]
   90 |   return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply via email to