https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104746
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
The warning certainly looks cryptic but seems to actually point out a real bug
in the code: len is set to 1 less than the number of bytes the sprintf call
writes to the buffer (the two strings plus the slash character plus the
teminating nul byte).
That said, the warning persists even with a buffer of sufficient size, but then
disappears if the empty definition of systemd_escape2() is removed. Since the
function fails to return a result the test case is invalid, I'm guessing
because it was reduced too far. Can you provide a valid test case?
FYI, level 2 of -Wformat-overflow is designed to "warn also about calls that
might overflow the destination buffer given an argument of sufficient length or
magnitude" so it will have a higher rate of false positives in cases where some
arguments cannot be determined to be sufficiently constrained to avoid an
overflow. In addition, there is no support for symbolic constraints involving
multiple arguments (like strlen(a) + strlen (b) < bufsize - 1) so the warning
is susceptible to false positives for calls involving such arguments, as in
sprintf(buf, "%s/%s", a, b).
