https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106332
Bug ID: 106332
Summary: Possible out of bound buffer access in opts-common.c
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: liftdat at protonmail dot com
Target Milestone: ---
In the file gcc/opts-common.cc, the function candidates_list_and_hint has the
following code (link:
https://github.com/gcc-mirror/gcc/blob/9715f10c0651c9549b479b69d67be50ac4bd98a6/gcc/opts-common.cc#L1342):
const char *
candidates_list_and_hint (const char *arg, char *&str,
const auto_vec <const char *> &candidates)
{
size_t len = 0;
int i;
const char *candidate;
char *p;
FOR_EACH_VEC_ELT (candidates, i, candidate)
len += strlen (candidate) + 1;
str = p = XNEWVEC (char, len);
FOR_EACH_VEC_ELT (candidates, i, candidate)
{
len = strlen (candidate);
memcpy (p, candidate, len);
p[len] = ' ';
p += len + 1;
}
p[-1] = '\0';
return find_closest_string (arg, &candidates);
}
When candidates is an empty vector, the buffer access p[-1] is out of bound.
