https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97023
Bug ID: 97023
Summary: missing warning on buffer overflow in chained mempcpy
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
-Wstringop-overflow successfully diagnoses a buffer overflow by the second in a
chain of calls to stpcpy but fails to detect the same bug in calls to mempcpy
because it doesn't track function arguments that are returned from builti-ins
like mempcpy or memchr.
$ cat z.c && gcc -O2 -S z.c
char a[7];
void* f (void)
{
void *p = __builtin_stpcpy (a, "123");
p = __builtin_stpcpy (p, "4567"); // warning (good)
return p;
}
void* g (void)
{
void *p = __builtin_mempcpy (a, "123", 3);
p = __builtin_mempcpy (p, "4567", 5); // missing warning
return p;
}
z.c: In function ‘f’:
z.c:5:13: warning: ‘__builtin_memcpy’ writing 5 bytes into a region of size 4
[-Wstringop-overflow=]
5 | void *p = __builtin_stpcpy (a, "123");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
z.c:1:6: note: at offset 3 to object ‘a’ with size 7 declared here
1 | char a[7];
| ^
