https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93454
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by Jakub Jelinek <ja...@gcc.gnu.org>: https://gcc.gnu.org/g:3c076c9642fd8877def0a0597ec7e4adfb5aa3b3 commit r10-6272-g3c076c9642fd8877def0a0597ec7e4adfb5aa3b3 Author: Jakub Jelinek <ja...@redhat.com> Date: Tue Jan 28 08:44:07 2020 +0100 gimple-fold: Fix buffer overflow in fold_array_ctor_reference [PR93454] libgcrypt FAILs to build on aarch64-linux with *** stack smashing detected ***: terminated when gcc is compiled with -D_FORTIFY_SOURCE=2. The problem is if fold_array_ctor_reference is called with size equal to or very close to MAX_BITSIZE_MODE_ANY_MODE bits and non-zero inner_offset. The first native_encode_expr is called with that inner_offset and bufoff 0, the subsequent ones with offset of 0, and bufoff elt_size - inner_offset, 2 * elt_size - inner_offset etc. So, e.g. on the testcase where we start with inner_offset 1 and size is e.g. 256 bytes and elt_size 4 bytes we then call native_encode_expr at bufoff 251 and then 255, but that one overwrites 3 bytes beyond the buf array. The following patch fixes that. In addition, it avoids calling elt_size.to_uhwi () all the time, and punts if elt_sz would be too large. 2020-01-28 Jakub Jelinek <ja...@redhat.com> PR tree-optimization/93454 * gimple-fold.c (fold_array_ctor_reference): Perform elt_size.to_uhwi () just once, instead of calling it in every iteration. Punt if that value is above size of the temporary buffer. Decrease third native_encode_expr argument when bufoff + elt_sz is above size of buf. * gcc.dg/pr93454.c: New test.
