[Bug c/93636] New: Incorrect diagnostic of a potential string overflow in strncat

Sun, 09 Feb 2020 01:44:00 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93636

            Bug ID: 93636
           Summary: Incorrect diagnostic of a potential string overflow in
                    strncat
           Product: gcc
           Version: 9.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: sebunger44 at gmail dot com
  Target Milestone: ---

Created attachment 47801
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=47801&action=edit
Preprocessed source file

The following code produces an incorrect warning "specified bound 2 equals
source length". To the best of my understanding, there's nothing wrong with the
bound equalling the size of the source. It certainly has no bearing on whether
this call may or may not overflow the destination.

#include <string.h>

void f(char *dst)
{
   strncat(dst, "Hi", 2);
}

My system is an amd64 installation of Ubuntu 19.10. The following is the
command line used to produce the result and its output:

$ gcc -v -save-temps -Wall -Werror -c strncat-bug.c 
Using built-in specs.
COLLECT_GCC=gcc
OFFLOAD_TARGET_NAMES=nvptx-none:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 9.2.1-9ubuntu2'
--with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr
--with-gcc-major-version-only --program-suffix=-9
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib
--with-target-system-zlib=auto --enable-multiarch --disable-werror
--with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32
--enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none,hsa
--without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 9.2.1 20191008 (Ubuntu 9.2.1-9ubuntu2) 
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-Wall' '-Werror' '-c' '-mtune=generic'
'-march=x86-64'
 /usr/lib/gcc/x86_64-linux-gnu/9/cc1 -E -quiet -v -imultiarch x86_64-linux-gnu
strncat-bug.c -mtune=generic -march=x86-64 -Wall -Werror -fpch-preprocess
-fasynchronous-unwind-tables -fstack-protector-strong -Wformat-security
-fstack-clash-protection -fcf-protection -o strncat-bug.i
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring nonexistent directory
"/usr/lib/gcc/x86_64-linux-gnu/9/../../../../x86_64-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/lib/gcc/x86_64-linux-gnu/9/include
 /usr/local/include
 /usr/lib/gcc/x86_64-linux-gnu/9/include-fixed
 /usr/include/x86_64-linux-gnu
 /usr/include
End of search list.
COLLECT_GCC_OPTIONS='-v' '-save-temps' '-Wall' '-Werror' '-c' '-mtune=generic'
'-march=x86-64'
 /usr/lib/gcc/x86_64-linux-gnu/9/cc1 -fpreprocessed strncat-bug.i -quiet
-dumpbase strncat-bug.c -mtune=generic -march=x86-64 -auxbase strncat-bug -Wall
-Werror -version -fasynchronous-unwind-tables -fstack-protector-strong
-Wformat-security -fstack-clash-protection -fcf-protection -o strncat-bug.s
GNU C17 (Ubuntu 9.2.1-9ubuntu2) version 9.2.1 20191008 (x86_64-linux-gnu)
        compiled by GNU C version 9.2.1 20191008, GMP version 6.1.2, MPFR
version 4.0.2, MPC version 1.1.0, isl version isl-0.21-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
GNU C17 (Ubuntu 9.2.1-9ubuntu2) version 9.2.1 20191008 (x86_64-linux-gnu)
        compiled by GNU C version 9.2.1 20191008, GMP version 6.1.2, MPFR
version 4.0.2, MPC version 1.1.0, isl version isl-0.21-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: dd54e5384b34908287640134d9f8a49c
strncat-bug.c: In function ‘f’:
strncat-bug.c:5:4: error: ‘strncat’ specified bound 2 equals source length
[-Werror=stringop-overflow=]
    5 |    strncat(dst, "Hi", 2);
      |    ^~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

Reply via email to