https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
Status|WAITING |NEW
--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I can reproduce it.
The bug is obvious. We have exp STRING_CST "", nchars is 1, offset is 0 and
nbytes is 4 (because of the UB in the source code).
4812 const char *prep = NULL;
4813 if (TREE_CODE (exp) == STRING_CST)
4814 {
4815 unsigned nchars = TREE_STRING_LENGTH (exp);
4816 if (nchars < offset)
4817 return false;
4818
4819 if (!nbytes)
4820 /* If NBYTES hasn't been determined earlier, either from
ADDR_EXPR
4821 (i.e., it's the size of a pointer), or from MEM_REF (as the
size
4822 of the access), set it here to the size of the string,
including
4823 all internal and trailing nuls if the string has any. */
4824 nbytes = nchars - offset;
4825
4826 prep = TREE_STRING_POINTER (exp) + offset;
4827 }
...
4887 /* When either ALLNUL is set and N is zero, also determine
4888 whether all subsequent bytes after the first one (which
4889 is nul) are zero or nonzero and clear ALLNUL if not. */
4890 for (const char *p = prep; p != prep + nbytes; ++p)
4891 if (*p)
4892 {
4893 *allnul = false;
4894 break;
4895 }
Which means we happily read bytes from the "" string beyond the limit.
